1LDAPPASSWD(1) General Commands Manual LDAPPASSWD(1)
2
3
4
6 ldappasswd - change the password of an LDAP entry
7
9 ldappasswd [-V[V]] [-d debuglevel] [-n] [-v] [-A] [-a oldPasswd]
10 [-t oldpasswdfile] [-S] [-s newPasswd] [-T newpasswdfile] [-x]
11 [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri]
12 [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=optparam]]
13 [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X au‐
14 thzid] [-Y mech] [-Z[Z]] [user]
15
17 ldappasswd is a tool to set the password of an LDAP user. ldappasswd
18 uses the LDAPv3 Password Modify (RFC 3062) extended operation.
19
20 ldappasswd sets the password of associated with the user [or an option‐
21 ally specified user]. If the new password is not specified on the com‐
22 mand line and the user doesn't enable prompting, the server will be
23 asked to generate a password for the user.
24
25 ldappasswd is neither designed nor intended to be a replacement for
26 passwd(1) and should not be installed as such.
27
29 -V[V] Print version info. If -VV is given, only the version informa‐
30 tion is printed.
31
32 -d debuglevel
33 Set the LDAP debugging level to debuglevel. ldappasswd must be
34 compiled with LDAP_DEBUG defined for this option to have any ef‐
35 fect.
36
37 -n Do not set password. (Can be useful when used in conjunction
38 with -v or -d)
39
40 -v Increase the verbosity of output. Can be specified multiple
41 times.
42
43 -A Prompt for old password. This is used instead of specifying the
44 password on the command line.
45
46 -a oldPasswd
47 Set the old password to oldPasswd.
48
49 -t oldPasswdFile
50 Set the old password to the contents of oldPasswdFile.
51
52 -S Prompt for new password. This is used instead of specifying the
53 password on the command line.
54
55 -s newPasswd
56 Set the new password to newPasswd.
57
58 -T newPasswdFile
59 Set the new password to the contents of newPasswdFile.
60
61 -x Use simple authentication instead of SASL.
62
63 -D binddn
64 Use the Distinguished Name binddn to bind to the LDAP directory.
65 For SASL binds, the server is expected to ignore this value.
66
67 -W Prompt for bind password. This is used instead of specifying
68 the password on the command line.
69
70 -w passwd
71 Use passwd as the password to bind with.
72
73 -y passwdfile
74 Use complete contents of passwdfile as the password for simple
75 authentication.
76
77 -H ldapuri
78 Specify URI(s) referring to the ldap server(s); only the proto‐
79 col/host/port fields are allowed; a list of URI, separated by
80 whitespace or commas is expected.
81
82 -e [!]ext[=extparam]
83
84 -E [!]ext[=extparam]
85
86 Specify general extensions with -e and passwd modify extensions
87 with -E. ´!´ indicates criticality.
88
89 General extensions:
90 [!]assert=<filter> (an RFC 4515 Filter)
91 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
92 [!]bauthzid (RFC 3829 authzid control)
93 [!]chaining[=<resolve>[/<cont>]]
94 [!]manageDSAit
95 [!]noop
96 ppolicy
97 [!]postread[=<attrs>] (a comma-separated attribute list)
98 [!]preread[=<attrs>] (a comma-separated attribute list)
99 [!]relax
100 sessiontracking[=<username>]
101 abandon,cancel,ignore (SIGINT sends abandon/cancel,
102 or ignores response; if critical, doesn't wait for SIGINT.
103 not really controls)
104
105 Passwd Modify extensions:
106 (none)
107
108 -o opt[=optparam]]
109
110 Specify any ldap.conf(5) option or one of the following:
111 nettimeout=<timeout> (in seconds, or "none" or "max")
112 ldif_wrap=<width> (in columns, or "no" for no wrapping)
113
114
115 -O security-properties
116 Specify SASL security properties.
117
118 -I Enable SASL Interactive mode. Always prompt. Default is to
119 prompt only as needed.
120
121 -Q Enable SASL Quiet mode. Never prompt.
122
123 -N Do not use reverse DNS to canonicalize SASL host name.
124
125 -U authcid
126 Specify the authentication ID for SASL bind. The form of the ID
127 depends on the actual SASL mechanism used.
128
129 -R realm
130 Specify the realm of authentication ID for SASL bind. The form
131 of the realm depends on the actual SASL mechanism used.
132
133 -X authzid
134 Specify the requested authorization ID for SASL bind. authzid
135 must be one of the following formats: dn:<distinguished name> or
136 u:<username>.
137
138 -Y mech
139 Specify the SASL mechanism to be used for authentication. If
140 it's not specified, the program will choose the best mechanism
141 the server knows.
142
143 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
144 you use -ZZ, the command will require the operation to be suc‐
145 cessful
146
148 ldap_sasl_bind(3), ldap_extended_operation(3), ldap_start_tls_s(3)
149
151 The OpenLDAP Project <http://www.openldap.org/>
152
154 OpenLDAP Software is developed and maintained by The OpenLDAP Project
155 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
156 versity of Michigan LDAP 3.3 Release.
157
158
159
160OpenLDAP 2.6.3 2022/07/14 LDAPPASSWD(1)