OpenLDAP operations (ldappasswd).


In this post we will see how we can reset password for our OpenLDAP users using the special utility ldappasswd.

Change user password using admin credentials.

When it comes to resetting user passwords, one of the most common things is to reset user’s password providing our admin credentials. Let’s change the password for the user with DN cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org. The following command will reset user’s password using cn=admin,dc=geekstuff,dc=org as Bind DN:

ldappasswd -x -D "cn=admin,dc=geekstuff,dc=org" -W -S "cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org"

We use -S option to make it prompt for the new password. Another option is to use -s in which case we have to provide the new password in the command itself:

ldappasswd -x -D "cn=admin,dc=geekstuff,dc=org" -W -s password "cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org"

Change user password using user credentials.

Users can also reset their passwords themselves. To do this they have to specify their old password, new password and DN. Admin credentials are NOT required in this case. The following command will change password for user with DN cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org :

ldappasswd -x -D "cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org" -W -S

We use user’s DN (cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org ) as Bind DN. Then we use flags -W (prompts for current password for authentication) and -S (prompts for the new password).

Another option is to provide passwords in the command itself:

ldappasswd -x -D "cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org" -w old_password -s new_password

Change user password using ldapmodify.

Another way to change the password is to use ldapmodify utility. This utility allows to modify LDAP entries by providing new values for any attributes in LDIF format. As user password is just another attribute it is possible to set a new password using ldapmodify.

First, let’s create an LDIF file set_pass.ldif specifying which entry and which attributes we want to modify. The file should look like this:

dn: cn=John Doe,ou=users,dc=geekstuff,dc=org
changetype: modify
replace: userPassword
userPassword: new_password

The first line specifies which entry we want to modify. The next line changetype: modify indicates that we want to modify the entry( we can also delete the entry if use changetype: delete). The line replace: userPassword is used to indicate that we are going to change the value of attribute userPassword. The final line sets the actual value of the attribute userPassword to new_password.

Now let’s import that data by running ldapmodify command:

ldapmodify -x -D "cn=admin,dc=geekstuff,dc=org" -W -f set_pass.ldif

The -f flag is followed by the name of the file with LDIF data. As you can see below the command has been run successfully:


Now you know how to reset passwords in OpenLDAP using ldapmodify and ldappasswd.


Add a Comment