RE: [EXT] Re: Understanding ldappasswd: ldap_bind: Invalid credentials (49)

Thu, 21 Aug 2025 23:44:05 -0700 

> -----Original Message-----
> From: Ondřej Kuzník <on...@mistotebe.net>
> Sent: Monday, August 18, 2025 11:42 AM
> To: Windl, Ulrich <u.wi...@ukr.de>
> Cc: openldap-technical@openldap.org
> Subject: [EXT] Re: Understanding ldappasswd: ldap_bind: Invalid credentials
> (49)
> 
> 
> On Mon, Aug 18, 2025 at 08:40:26AM +0000, Windl, Ulrich wrote:
> > Hi!
> >
> > I have a question: A user can change its password using the standard SSH
> Login.
> > However one user with an expired password has a special shell that
> > does not allow login (the user is logged out immediately).
> > So I tried to use ldappasswd to change the password using this helper
> script:
> >
> > #!/bin/sh
> > SERVER='ldap://...'
> > CONTEXT='dc=...'
> > if [ -n "$1" ]; then
> >     DN="uid=${1},ou=people,$CONTEXT"
> >     MANAGER="$DN"
> >     echo "$MANAGER changing password for $DN"
> >     ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S
> }"$DN"
> > else
> >     echo "$0: missing or empty username" >&2
> >     exit 1
> > fi
> >
> > So here the one to change the password is the user itself.
> > When I use the script with just the username (set random password), I see:
> > Enter LDAP Password:
> > ldap_bind: Server is unwilling to perform (53)
> >         additional info: unauthenticated bind (DN with no password)
> disallowed
> >
> > And when I call it with a second parameter (ask for password), I see:
> > New password:
> > Re-enter new password:
> > Enter LDAP Password:
> > ldap_bind: Invalid credentials (49)
> 
> Hi Ulrich,
> `-D` says to bind (log in as) "$MANAGER","$CONTEXT", your users are
> unlikely to know that password, you should probably use "$DN" there.
[Windl, Ulrich] 
Actually $MANAGER == $DN (the script was modified from an original, where 
MANAGER was actually a user that could change the passwords of any user without 
knowing the old ones.
Or did I miss something?


Kind regards,
Ulrich

> 
> Regards,
> 
> --
> Ondřej Kuzník
> Senior Software Engineer
> Symas Corporation                       http://www.symas.com
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Reply via email to