1LDAPPASSWD(1) General Commands Manual LDAPPASSWD(1)
2
3
4
6 ldappasswd - change the password of an LDAP entry
7
9 ldappasswd [-V[V]] [-d debuglevel] [-n] [-v] [-A] [-a oldPasswd]
10 [-t oldpasswdfile] [-S] [-s newPasswd] [-T newpasswdfile] [-x]
11 [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
12 [-p ldapport] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
13 [-o opt[=optparam]] [-O security-properties] [-I] [-Q] [-N] [-U auth‐
14 cid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] [user]
15
17 ldappasswd is a tool to set the password of an LDAP user. ldappasswd
18 uses the LDAPv3 Password Modify (RFC 3062) extended operation.
19
20 ldappasswd sets the password of associated with the user [or an option‐
21 ally specified user]. If the new password is not specified on the com‐
22 mand line and the user doesn't enable prompting, the server will be
23 asked to generate a password for the user.
24
25 ldappasswd is neither designed nor intended to be a replacement for
26 passwd(1) and should not be installed as such.
27
29 -V[V] Print version info. If -VV is given, only the version informa‐
30 tion is printed.
31
32 -d debuglevel
33 Set the LDAP debugging level to debuglevel. ldappasswd must be
34 compiled with LDAP_DEBUG defined for this option to have any ef‐
35 fect.
36
37 -n Do not set password. (Can be useful when used in conjunction
38 with -v or -d)
39
40 -v Increase the verbosity of output. Can be specified multiple
41 times.
42
43 -A Prompt for old password. This is used instead of specifying the
44 password on the command line.
45
46 -a oldPasswd
47 Set the old password to oldPasswd.
48
49 -t oldPasswdFile
50 Set the old password to the contents of oldPasswdFile.
51
52 -S Prompt for new password. This is used instead of specifying the
53 password on the command line.
54
55 -s newPasswd
56 Set the new password to newPasswd.
57
58 -T newPasswdFile
59 Set the new password to the contents of newPasswdFile.
60
61 -x Use simple authentication instead of SASL.
62
63 -D binddn
64 Use the Distinguished Name binddn to bind to the LDAP directory.
65 For SASL binds, the server is expected to ignore this value.
66
67 -W Prompt for bind password. This is used instead of specifying
68 the password on the command line.
69
70 -w passwd
71 Use passwd as the password to bind with.
72
73 -y passwdfile
74 Use complete contents of passwdfile as the password for simple
75 authentication.
76
77 -H ldapuri
78 Specify URI(s) referring to the ldap server(s); only the proto‐
79 col/host/port fields are allowed; a list of URI, separated by
80 whitespace or commas is expected.
81
82 -h ldaphost
83 Specify an alternate host on which the ldap server is running.
84 Deprecated in favor of -H.
85
86 -p ldapport
87 Specify an alternate TCP port where the ldap server is listen‐
88 ing. Deprecated in favor of -H.
89
90 -e [!]ext[=extparam]
91
92 -E [!]ext[=extparam]
93
94 Specify general extensions with -e and passwd modify extensions
95 with -E. ´!´ indicates criticality.
96
97 General extensions:
98 [!]assert=<filter> (an RFC 4515 Filter)
99 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
100 [!]bauthzid (RFC 3829 authzid control)
101 [!]chaining[=<resolve>[/<cont>]]
102 [!]manageDSAit
103 [!]noop
104 ppolicy
105 [!]postread[=<attrs>] (a comma-separated attribute list)
106 [!]preread[=<attrs>] (a comma-separated attribute list)
107 [!]relax
108 sessiontracking
109 abandon,cancel,ignore (SIGINT sends abandon/cancel,
110 or ignores response; if critical, doesn't wait for SIGINT.
111 not really controls)
112
113 Passwd Modify extensions:
114 (none)
115
116 -o opt[=optparam]]
117
118 Specify any ldap.conf(5) option or one of the following:
119 nettimeout=<timeout> (in seconds, or "none" or "max")
120 ldif_wrap=<width> (in columns, or "no" for no wrapping)
121
122
123 -O security-properties
124 Specify SASL security properties.
125
126 -I Enable SASL Interactive mode. Always prompt. Default is to
127 prompt only as needed.
128
129 -Q Enable SASL Quiet mode. Never prompt.
130
131 -N Do not use reverse DNS to canonicalize SASL host name.
132
133 -U authcid
134 Specify the authentication ID for SASL bind. The form of the ID
135 depends on the actual SASL mechanism used.
136
137 -R realm
138 Specify the realm of authentication ID for SASL bind. The form
139 of the realm depends on the actual SASL mechanism used.
140
141 -X authzid
142 Specify the requested authorization ID for SASL bind. authzid
143 must be one of the following formats: dn:<distinguished name> or
144 u:<username>.
145
146 -Y mech
147 Specify the SASL mechanism to be used for authentication. If
148 it's not specified, the program will choose the best mechanism
149 the server knows.
150
151 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
152 you use -ZZ, the command will require the operation to be suc‐
153 cessful
154
156 ldap_sasl_bind(3), ldap_extended_operation(3), ldap_start_tls_s(3)
157
159 The OpenLDAP Project <http://www.openldap.org/>
160
162 OpenLDAP Software is developed and maintained by The OpenLDAP Project
163 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
164 versity of Michigan LDAP 3.3 Release.
165
166
167
168OpenLDAP 2.4.57 2021/01/18 LDAPPASSWD(1)