19.3. Changing Passwords Stored Externally

While most passwords can be changed through the Console and other Directory Server features or through the ldapmodify operation, there are some passwords that cannot be changed through regular LDAP operations. These passwords may be stored outside the Directory Server, such as passwords stored in a SASL application. These passwords can be modified through the password change extended operation.
Directory Server supports the password change extended operation as defined in RFC 3062, so users can change their passwords, using a suitable client, in a standards-compliant way. The ldappasswd utility passes the changes for the password for the specified user:
# ldappasswd -x -D bind_dn -W -p server_port -h server_hostname [-a oldPassword] [-s newPassword] [user]


Password operations must be performed over a secure connection, meaning SASL, TLS, or Start TLS. For information on using secure connections with LDAP client tools, see Section 9.8.4, “Authenticating Using a Certificate”.

Table 19.1. ldappasswd Options

Parameter Description
-h Gives the host name of the Directory Server.
-p Gives the port number of the Directory Server. Since TLS is required for password change operations, this is usually give the TLS port of the Directory Server. With the -ZZ or -ZZZ for Start TLS, this can be the standard port.
-D Gives the bind DN.
-w Gives the password for the bind DN.
-x Disables SASL to allow a simple bind over an TLS connection.
-a Optional. Gives the old password, which is being changed.
-s Optional. Sets the new password.
user Optional. Gives the DN of the user entry for which to change the password.
To use Start TLS, which runs the command on a non-secure port, run ldappasswd with the -ZZ option and the standard LDAP port number. The password extended change operation has the following format:
# ldappasswd -x -D bind_dn -W -p server_port -h server_hostname -Z [-a oldPassword] [-s newPassword] [user]


For Start TLS connections to work, the TLS environment variables must be configured as described in Section 9.8.4, “Authenticating Using a Certificate”.
Use the -ZZ option to force the connection to be successful.
To modify an entry's password, run ldappasswd like any other LDAP operation. It is not necessary to specify a user if the account is the same as that given in the bind DN. For example:
# ldappasswd -x -h ldap.example.com -p 389 -ZZ -D "uid=jsmith,ou=People,dc=example,dc=com" -W -s newpassword
To change the password on an entry other than the one specified in the bind credentials, run ldappasswd as shown below, adding the user DN to the operation and providing separate credentials, as follows:
# ldappasswd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x -ZZ -s newpassword "uid=jsmith,ou=People,dc=example,dc=com"
Access control is enforced for the password change operation. If the bind DN does not have rights to change the specified password, the operation will fail with an Insufficient rights error.