eDirectory allows LDAP clients to update user passwords using the LDAP Password Modify Extended Operation. eDirectory servers support this extended operation by providing OID: 184.108.40.206.4.1.4220.127.116.11 as a value of the supportedExtension attribute type in the root DSE. For more information about the LDAP Password Modify Extended operation, see RFC 3062.
eDirectory allows the extended operation through a secure channel (LDAPS or LDAP Start TLS) and supports this operation for Universal Passwords (UP) only. The extended operation request accepts three optional parameters:
Current password of the user
New password of the user
NOTE:If you do not provide a user DN, the password change operation is attempted on the logged-in user. If the new password is not provided, eDirectory generates a random password that complies with the password policy.
To allow the LDAP clients to update user passwords after installing eDirectory:
Perform an LDAP RootDSE search and check if the Password Modify Extended Operation is supported.
NOTE:Look for the PasswdModifyOID (18.104.22.168.4.1.422.214.171.124) value for the supported Extension attribute. For example, # ldapsearch -x -H ldaps://<LDAP_SERVER> -b "" -s base -LLL supportedExtension | grep 126.96.36.199.4.1.4188.8.131.52.
Create a user in eDirectory.
Assign the password policy to the user.
Clickto set the UP.
Modify the UP by using theutility.
# ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell -a novell -s novell12
NOTE:You can request the eDirectory to generate a random password. For example, # ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell12.