On Mon, Aug 18, 2025 at 08:40:26AM +0000, Windl, Ulrich wrote:
> Hi!
>
> I have a question: A user can change its password using the standard SSH
> Login.
> However one user with an expired password has a special shell that
> does not allow login (the user is logged out immediately).
> So I tried to use ldappasswd to change the password using this helper script:
>
> #!/bin/sh
> SERVER='ldap://...'
> CONTEXT='dc=...'
> if [ -n "$1" ]; then
> DN="uid=${1},ou=people,$CONTEXT"
> MANAGER="$DN"
> echo "$MANAGER changing password for $DN"
> ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN"
> else
> echo "$0: missing or empty username" >&2
> exit 1
> fi
>
> So here the one to change the password is the user itself.
> When I use the script with just the username (set random password), I see:
> Enter LDAP Password:
> ldap_bind: Server is unwilling to perform (53)
> additional info: unauthenticated bind (DN with no password) disallowed
>
> And when I call it with a second parameter (ask for password), I see:
> New password:
> Re-enter new password:
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
Hi Ulrich,
`-D` says to bind (log in as) "$MANAGER","$CONTEXT", your users are
unlikely to know that password, you should probably use "$DN" there.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
