eDirectory allows LDAP clients to update user passwords using the LDAP Password Modify Extended Operation. eDirectory servers support this extended operation by providing OID: 1.3.6.1.4.1.4203.1.11.1 as a value of the supportedExtension attribute type in the root DSE. For more information about the LDAP Password Modify Extended operation, see RFC 3062.
eDirectory allows the extended operation through a secure channel (LDAPS or LDAP Start TLS) and supports this operation for Universal Passwords (UP) only. The extended operation request accepts three optional parameters:
User DN
Current password of the user
New password of the user
NOTE:If you do not provide a user DN, the password change operation is attempted on the logged-in user. If the new password is not provided, eDirectory generates a random password that complies with the password policy.
To allow the LDAP clients to update user passwords after installing eDirectory:
Perform an LDAP RootDSE search and check if the Password Modify Extended Operation is supported.
NOTE:Look for the PasswdModifyOID (1.3.6.1.4.1.4203.1.11.1) value for the supported Extension attribute. For example, # ldapsearch -x -H ldaps://<LDAP_SERVER> -b "" -s base -LLL supportedExtension | grep 1.3.6.1.4.1.4203.1.11.1.
Create a user in eDirectory.
Click Roles and Tasks > Passwords > Password Policies to create a password policy using the iManager password policy plug-in. For more information, see Creating Password Policies
in the NetIQ eDirectory 8.8 SP8 Administration Guide.
Assign the password policy to the user.
Click Roles and Tasks > Passwords > Set Universal Password to set the UP.
Modify the UP by using the ldappasswd utility.
# ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell -a novell -s novell12
NOTE:You can request the eDirectory to generate a random password. For example, # ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell12.