Thank you Sumit for the answer, it solved my problem. 
From: Sumit Bose <>
Sent: Wednesday, January 6, 2016 1:03 PM
Subject: Re: [Freeipa-users] changing password on user using ldappasswd

On Wed, Jan 06, 2016 at 08:59:22AM +0000, FE9817 FE-DDIS.DK wrote:
> Hi,
> Im trying to change password for a user, using ldap, but it hangs. Here is 
> what is done.
> :~$ ldappasswd -h -ZZ -p 636 -x -D 
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
> "uid=test000,cn=users,cn=accounts,dc=com" -d9 -v -A

I think you are using the SSL/TLS option wrongly. -p 636 indicates that
you want to use the LDAPS port where the SSL/TLS handshake is done
automatically. -Z will use the StartTLS command to start the handshake
and the second Z will require that this will be successful.

First, ldappasswd will not do an automatic SSL/TLS handshake with this
options and hence you see the hang because the server waits for the
handshake. To tell ldappasswd to do the handshake please replace '-h' by '-H LDAPS://'.

Second, you will still see an error like 'SSL connection already
established' because the StartTLS command started due to the -Z option
see that the SSL/TLS tunnel is already established, returns the error
and since the second Z requires a success here ldappasswd fail.

Since it is redundant to do both, using the ldaps port and calling
StartTLS I would recommend to just use StartTLS as in

  ldappasswd -h -ZZ -x -D "uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

Using the ldaps port should work with

  ldappasswd -H LDAPS:// -x -D "uid=admin,cn=users,cn=accounts,dc=com" 
-W -S "uid=test000,cn=users,cn=accounts,dc=com" -A

And if you really want to double-stitch it use use a single -Z like

  ldappasswd -H LDAPS:// -Z -x -D 
"uid=admin,cn=users,cn=accounts,dc=com" -W -S 
"uid=test000,cn=users,cn=accounts,dc=com" -A

then you will still see the 'SSL connection already established' error
but ldappasswd can proceed since StartTLS is not required to be
successful. But please note that this will not increase security because
-Z/StartTLS is a no-op in this case.



> Old password:
> Re-enter old password:
> New password:
> Re-enter new password:
> ldap_initialize( ldap:// )
> ldap_create
> ldap_url_parse_ext(ldap://
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7fc7f40de370 msgid 1
> wait4msg ld 0x7fc7f40de370 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7fc7f40de370 msgid 1 all 1
> ** ld 0x7fc7f40de370 Connections:
> * host:  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Jan  6 09:29:43 2016
> ** ld 0x7fc7f40de370 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x7fc7f40de370 request count 1 (abandoned 0)
> ** ld 0x7fc7f40de370 Response Queue:
>    Empty
>   ld 0x7fc7f40de370 response count 0
> ldap_chkResponseList ld 0x7fc7f40de370 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7fc7f40de370 NULL
> ldap_int_select
> It works when using kpasswd, but not ldappasswd. Any suggestions?
> Cheers
> Emil

> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to