Self password changes requiring current passwords
If you set the password-change-requires-current-password
property to true
,
users must provide their current password when choosing a new password.
You can make these password changes using either a regular LDAP modify operation or a password modify extended operation.
For either method:
Refer to the |
LDAP modify operation
For a regular LDAP modify operation, the password change request must include modifications to delete the user’s current password and add their new password.
The following example uses the ldapmodify
tool to change a user’s password:
$ bin/ldapmodify --hostname server.example.com --port 636 --useSSL \ --bindDN "cn=admin,dc=example,dc=com" --bindPassword <bindPassword> dn: uid=jdoe,ou=People,dc=example,dc=com changetype: modify delete: userPassword userPassword: <currentPassword> - add: userPassword userPassword: <newPassword> -
The following example uses the ldappasswordmodify
tool with the --passwordChangeMethod ldap-modify
argument to change a user’s password:
$ bin/ldappasswordmodify --hostname server.example.com --port 636 --useSSL \ --bindDN "cn=admin,dc=example,dc=com" --bindPassword <bindPassword> \ --userIdentity uid=jdoe,ou=People,dc=example,dc=com \ --oldPassword <currentPassword> \ --newPassword <newPassword> \ --passwordChangeMethod ldap-modify
In the previous example, the |
Password modify extended operation
Alternatively, you can use the password modify extended operation, as described in RFC 3062, to update user passwords. There are two implementation methods:
-
For integration with a custom user account management application, use the UnboundID LDAP SDK for Java or another LDAP client API.
-
For the server CLI implementation, use the
ldappasswordmodify
tool with the--passwordChangeMethod password-modify-extended-operation
argument.
Advantages over LDAP modify
The password modify extended operation has several advantages over a regular LDAP modify operation, including:
-
The user doesn’t have to know their full DN or the name of the attribute used to store their encoded password.
-
If the user’s password policy is configured with
allow-expired-password-changes
set totrue
, the user can reset their expired password.This type of request must include a value for
userIdentity
. -
The server can automatically generate a new password for the target user.
-
A user can recover access to their account by providing a server-generated password reset token instead of their current password.
You need to configure the server to support this operation.
Using the extended operation
The following table describes the attributes related to the password modify extended operation:
Attribute | Description | ||
---|---|---|---|
|
Indicates the user whose password you are changing. You can supply one of the following values:
|
||
|
Indicates the current user password. |
||
|
Indicates the new user password.
|
The following example uses ldappasswordmodify
to target a user by DN and set a new password:
$ bin/ldappasswordmodify --hostname ds.example.com --port 636 --useSSL \ --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt \ --userIdentity uid=jdoe,ou=People,dc=example,dc=com \ --oldPassword <currentPassword> \ --newPasword <newPassword> \ --passwordChangeMethod password-modify-extended-operation