« Matt Haughey Describes a Creative Strategy for Building Profitable Weblogs | Main | Simplifying Directory Administration with Net::LDAP is Sometimes Harder than It Looks »

How to Use Command Line LDAP Tools to Change a User's Password

Dave Aiello wrote, "A little while ago, I was troubleshooting a glitch on one of the systems that I administer. I needed to reset an expired user's password, but the GUI front end to the LDAP server wouldn't work for some reason."

"In order to be able to go to bed, I had to figure out how to change the user's password with the LDAP command line tools. The system I am using has an ldapmodify, but no ldappasswd. Read on to see how I did it...."

Dave Aiello continued:

This might not be the only way this can be done, and I may be leaving out command line parameters that are required in other configurations. But, this sequence worked on one of my LDAP servers when I was logged into the machine it is running on.

In this example, the LDAP superuser is known by the common name "Directory Manager", the user whose password needs to be changed has the user ID "cornelius", and the organization is "foobar.com".

The words in italics are meant to be replaced by the relevant values for your installation. (So, you would replace "directory_manager_password" with the actual password.) The bold text is the responses of the server.

$ ldapmodify -D "cn=Directory Manager" -w directory_manager_password
modifying entry uid=cornelius,o=foobar.com
In case it isn't clear, ldapmodify will silently wait for input after you invoke it with parameters that are valid to bind to the LDAP server being accessed. The program is waiting for valid LDIF statements.

As you can see, I typed a valid LDIF modify statement and then typed Control-Z and pressed the Return/Enter key. In my installation, ldapmodify sat there after it printed the message that begins "modifying entry". I might have been able to issue another Control-Z key sequence to be sent back to the command line. To be honest, I didn't have to do another another LDAP entry modification. If I find that doing another Control-Z would work, I will update this story.

I wrote this article because I couldn't find an example that would work with my server configuration. So, I spent some time trying to figure out the right syntax to use within ldapmodify, and this is what worked for me.

Update: Yes, hitting Control-Z twice does get you out of ldapmodify cleanly. In case it wasn't obvious, Control-Z is the proper End of File marker on Windows. Control-D would be the EOF marker if you are using UNIX.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


CTDATA Venutures (CTDATA) develops Internet and Intranet applications for corporations and non profit organizations. Our services include:

  • Consulting services for Movable Type and TypePad-based publishing systems (visit our Weblog Improvement website for more information),
  • Financial services business process consulting,
  • Content management system and knowledge management system consulting,
  • Apache web server engineering and hosting,
  • MySQL, Sybase, and Microsoft SQL Server architecture and development,
  • SOAP, REST, and XML-RPC system architecture and programming, including Amazon Web Services and
  • Weblog publishing.
For more information, contact Dave Aiello by email at dave [at] daveaiello.com or call him at +1-267-352-4420.
Copyright © 1995-2010, CTDATA Ventures. All Rights Reserved.
Powered by
Movable Type 4.25