1LDAPPASSWD(1)               General Commands Manual              LDAPPASSWD(1)
2
3
4

NAME

6       ldappasswd - change the password of an LDAP entry
7

SYNOPSIS

9       ldappasswd   [-V[V]]  [-d debuglevel]  [-n]  [-v]  [-A]  [-a oldPasswd]
10       [-t oldpasswdfile]   [-S]   [-s newPasswd]   [-T newpasswdfile]    [-x]
11       [-D binddn]     [-W]     [-w passwd]    [-y passwdfile]    [-H ldapuri]
12       [-e [!]ext[=extparam]]    [-E [!]ext[=extparam]]    [-o opt[=optparam]]
13       [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X au‐
14       thzid] [-Y mech] [-Z[Z]] [user]
15

DESCRIPTION

17       ldappasswd is a tool to set the password of an LDAP  user.   ldappasswd
18       uses the LDAPv3 Password Modify (RFC 3062) extended operation.
19
20       ldappasswd sets the password of associated with the user [or an option‐
21       ally specified user].  If the new password is not specified on the com‐
22       mand  line  and  the  user doesn't enable prompting, the server will be
23       asked to generate a password for the user.
24
25       ldappasswd is neither designed nor intended to  be  a  replacement  for
26       passwd(1) and should not be installed as such.
27

OPTIONS

29       -V[V]  Print  version info.  If -VV is given, only the version informa‐
30              tion is printed.
31
32       -d debuglevel
33              Set the LDAP debugging level to debuglevel.  ldappasswd must  be
34              compiled with LDAP_DEBUG defined for this option to have any ef‐
35              fect.
36
37       -n     Do not set password. (Can be useful  when  used  in  conjunction
38              with -v or -d)
39
40       -v     Increase  the  verbosity  of  output.  Can be specified multiple
41              times.
42
43       -A     Prompt for old password.  This is used instead of specifying the
44              password on the command line.
45
46       -a oldPasswd
47              Set the old password to oldPasswd.
48
49       -t oldPasswdFile
50              Set the old password to the contents of oldPasswdFile.
51
52       -S     Prompt for new password.  This is used instead of specifying the
53              password on the command line.
54
55       -s newPasswd
56              Set the new password to newPasswd.
57
58       -T newPasswdFile
59              Set the new password to the contents of newPasswdFile.
60
61       -x     Use simple authentication instead of SASL.
62
63       -D binddn
64              Use the Distinguished Name binddn to bind to the LDAP directory.
65              For SASL binds, the server is expected to ignore this value.
66
67       -W     Prompt  for  bind  password.  This is used instead of specifying
68              the password on the command line.
69
70       -w passwd
71              Use passwd as the password to bind with.
72
73       -y passwdfile
74              Use complete contents of passwdfile as the password  for  simple
75              authentication.
76
77       -H ldapuri
78              Specify  URI(s) referring to the ldap server(s); only the proto‐
79              col/host/port fields are allowed; a list of  URI,  separated  by
80              whitespace or commas is expected.
81
82       -e [!]ext[=extparam]
83
84       -E [!]ext[=extparam]
85
86              Specify  general extensions with -e and passwd modify extensions
87              with -E.  ´!´ indicates criticality.
88
89              General extensions:
90                [!]assert=<filter>    (an RFC 4515 Filter)
91                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
92                [!]bauthzid           (RFC 3829 authzid control)
93                [!]chaining[=<resolve>[/<cont>]]
94                [!]manageDSAit
95                [!]noop
96                ppolicy
97                [!]postread[=<attrs>] (a comma-separated attribute list)
98                [!]preread[=<attrs>]  (a comma-separated attribute list)
99                [!]relax
100                sessiontracking[=<username>]
101                abandon,cancel,ignore (SIGINT sends abandon/cancel,
102                or ignores response; if critical, doesn't wait for SIGINT.
103                not really controls)
104
105              Passwd Modify extensions:
106                (none)
107
108       -o opt[=optparam]]
109
110              Specify any ldap.conf(5) option or one of the following:
111                nettimeout=<timeout>  (in seconds, or "none" or "max")
112                ldif_wrap=<width>     (in columns, or "no" for no wrapping)
113
114
115       -O security-properties
116              Specify SASL security properties.
117
118       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
119              prompt only as needed.
120
121       -Q     Enable SASL Quiet mode.  Never prompt.
122
123       -N     Do not use reverse DNS to canonicalize SASL host name.
124
125       -U authcid
126              Specify  the authentication ID for SASL bind. The form of the ID
127              depends on the actual SASL mechanism used.
128
129       -R realm
130              Specify the realm of authentication ID for SASL bind.  The  form
131              of the realm depends on the actual SASL mechanism used.
132
133       -X authzid
134              Specify  the  requested authorization ID for SASL bind.  authzid
135              must be one of the following formats: dn:<distinguished name> or
136              u:<username>.
137
138       -Y mech
139              Specify  the  SASL  mechanism  to be used for authentication. If
140              it's not specified, the program will choose the  best  mechanism
141              the server knows.
142
143       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
144              you use -ZZ, the command will require the operation to  be  suc‐
145              cessful
146

SEE ALSO

148       ldap_sasl_bind(3), ldap_extended_operation(3), ldap_start_tls_s(3)
149

AUTHOR

151       The OpenLDAP Project <http://www.openldap.org/>
152

ACKNOWLEDGEMENTS

154       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
155       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
156       versity of Michigan LDAP 3.3 Release.
157
158
159
160OpenLDAP 2.6.2                    2022/05/04                     LDAPPASSWD(1)
Impressum