| Exit Print View | |
Sun OpenDS Standard Edition 2.2 Command-Line Usage Guide |
|
|
|
The ldappasswordmodify command modifies LDAP passwords.
ldappasswordmodify options
The ldappasswordmodify command can be used to change or reset user passwords with the LDAP password modify extended operation as defined in RFC 3062.
Using this mechanism for changing user passwords offers a number of benefits over a simple LDAP modify operation targeted at the password attribute, including the following:
Changing one's own password. The command allows a user to change his own password even after it has expired, provided that this capability is allowed in that user's password policy.
Supplying clear-text password. The command provides a mechanism for supplying the clear-text version of the current password for further validation of the user's identity.
Using authorization ID. When changing a user's password, the user can be specified by using an authorization ID (prefixed by dn: or u:) in addition to a full DN.
Generating passwords. If a new password is not provided, then the server can generate one for the user, provided that this capability is allowed in that user's password policy.
The ldappasswordmodify command accepts an option in either its short form (for example, -D bindDN) or its long form equivalent (for example, --bindDN bindDN).
Specify an authorization ID for the user whose password is to be changed. The authorization ID can be in the form dn: followed by the DN of the target user, or u: followed by the user name of the target user. If this option is not provided, then no authorization ID will be included in the request and the password for the authenticated user will be changed. This option must not be used in conjunction with the --provideDNForAuthzID option.
Indicate that the bind DN should be used as the authorization ID for the password modify operation. This option must not be used in conjunction with the --authzID option.
Specify the current password for the user. It must not be used in conjunction with --currentPasswordFile. The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.
Read the current password from the specified file. It must not be used in conjunction with --currentPassword. The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.
Perform a search with the specified control in search requests sent to the directory server. This option makes it possible to include arbitrary request controls that the client cannot directly support. The value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:
Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:
Use in place of the Account Usability Request Control OID: 1.3.6.1.4.1.42.2.27.9.5.8 (no value)
Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)
Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)
Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)
Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)
Use in place of the Password Policy Request OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)
Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)
If true, the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false, the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.
Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the ::b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the :value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies a URL that references a file from which the value of the control should be taken. It must not be used in conjunction with either the :value or ::b64value forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.4.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com will include a critical control with an OID of 1.3.6.4.42.2.27.9.5.2, marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com. Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com.
Specify the new password that should be assigned to the target user. This option must not be used in conjunction with --newPasswordFile. If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.
Read the new password from the specified file that should be assigned to the target user. This option must not be used in conjunction with --newPassword. If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.
Use the certificate for certificate-based client authentication.
Use the DN when binding to the directory server through simple authentication. If this option is not provided, then the --authzID option must be used to specify the authorization ID for the target user, and either the --currentPassword or --currentPasswordFile option must be provided to specify the current password for the user. (This mode of use will be required for users to change their passwords after the passwords have expired.)
Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.
Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option. See Using SASL Authentication in Sun OpenDS Standard Edition 2.2 Administration Guide for more information.
Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.
Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.
Use the StartTLS extended operation when communicating with the directory server. This option must not be used in conjunction with --useSSL.
Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile.
Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword.
Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword.
Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile. To prompt for the password, type -w -.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile.
Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.
Use the Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.
Indicate that a properties file will not be used to get the default command-line options.
Specify the path to the properties file that contains the default command-line options.
Display command-line usage information for the command and exit without making any attempt to run the command.
Display the version information for the directory server.
The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See Sun OpenDS Standard Edition System Requirements in Sun OpenDS Standard Edition 2.2 Installation Guide for more information.
The following command connects to the host (-h) using port 1389 (-p), specifies the authorization ID uid=abergin (-a) of an administrator, specifies the user's current password file (-C), and changes it with a new one specified in a new password file (-N). For Windows platforms, use the file paths where your current and new passwords exist, respectively. For example, use -C \temp\currentPasswordFile and -N \temp\newPasswordFile.
$ ldappasswordmodify -h hostname -p 1389 -a "dn:uid=abergin,ou=People,dc=example,dc=com" \ -C /tmp/currentPasswordFile -N /tmp/newPasswordFile The LDAP password modify operation was successful
The following command connects to the host (-h) using port 1389 (-p), specifies the bind DN (-D), specifies the bind password file (-j), and modifies and generates a password for another user (-a) connecting over simple authentication. For Windows platforms, specify the file where the bind password file resides, for example, -j \temp\bindPasswordFile.
$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \ -a "dn:uid=abergin,ou=People,dc=example,dc=com" The LDAP password modify operation was successful Generated Password: blb44hjm
The following command connects to the host (-h) using port 1389 (-p), specifies the bind DN (-D), specifies the bind password file (-j), and modifies the password with a new one (-N) for another user (-a) connecting over simple authentication. For Windows platforms, specify the bind password file (for example, -j \temp\bindPasswordFile) and the new password file (for example, -N \temp\newPassword).
$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \ -a "dn:uid=abergin,ou=People,dc=example,dc=com" -N /tmp/newPassword The LDAP password modify operation was successful
An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.
The directory server supports the use of a properties file that passes in any default option values used with the ldappasswordmodify command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. See Using a Properties File With Server Commands for more information.
The following options can be stored in a properties file:
authzID
bindDN
bindPassword
bindPasswordFile
currentPassword
currentPasswordFile
control
hostname
keyStorePassword
keyStorePasswordFile
keyStorePath
newPassword
newPasswordFile
port
provideDNForAuthzID
trustAll
trustStorePassword
trustStorePasswordFile
trustStorePath
useSSL
useStartTLS
Entries in the properties file have the following format:
toolname.propertyname=propertyvalue
For example:
ldappasswordmodify.ldapport=12345
UNIX and Linux: install-dir/bin/ldappasswordmodify
Windows: install-dir\bat\ldappasswordmodify.bat
|
|