Directory Server 6 and ldappasswd
By Ludo on Apr 13, 2007
Sun Java System Directory Server 6.0 now supports RFC 3062 : LDAP Password Modify Extended Operation, and a new tool is delivered as part of Directory Server Enterprise Edition 6.0 to take advantage of it: ldappasswd.
ldappasswd allows a user or an administrator to change the password of any account. Of course, by default a set of restrictions is configure to prevent malicious use of this feature.
In order to be usable by users other than administrators, the Password Modify Extended Operation requires to add some specific ACI under cn=config.
An example of ACI for the Password Modify Extended operation is presented in the Directory Server Enterprise Edition Administration Manual.
But to allow any authenticated user to change its own password with this tool, the Directory Administrator must add the following entry and ACI, in addition to the usual ACI that allows self write on the userPassword attribute:
cn: Password Modify Extended Op Access Control
aci: (targetattr != "aci"(version 3.0; acl "Allow Password Change
Extended Op to all auth users"; allow( read , search, compare, proxy )
(userdn = "ldap:///all" and authmethod = "SSL"
Note that this ACI will require that ldappasswd be used with SSL (which is a good thing if you want to avoid passwords being transfered in cleartext on the network).
Now I can change my own password in LDAP with the tool:
ldappasswd -h <host> -p <port> -D "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=Com" -A -S -Z \\
-P /home/ludo/security -N "LudoCert" -W keypasswd "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=com"
Old Password: myOldPasswd
New Password: aNewOne
Re-enter new Password: aNewOne
ldappasswd: password successfully changed