16.14 Configuring and Using the LDAP Password Modify Extended Operation

eDirectory allows LDAP clients to update user passwords using the LDAP Password Modify Extended Operation. eDirectory servers support this extended operation by providing OID: as a value of the supportedExtension attribute type in the root DSE. For more information about the LDAP Password Modify Extended operation, see RFC 3062.

eDirectory allows the extended operation through a secure channel (LDAPS or LDAP Start TLS) and supports this operation for Universal Passwords (UP) only. The extended operation request accepts three optional parameters:

  • User DN

  • Current password of the user

  • New password of the user

NOTE:If you do not provide a user DN, the password change operation is attempted on the logged-in user. If the new password is not provided, eDirectory generates a random password that complies with the password policy.

To allow the LDAP clients to update user passwords after installing eDirectory:

  1. Perform an LDAP RootDSE search and check if the Password Modify Extended Operation is supported.

    NOTE:Look for the PasswdModifyOID ( value for the supported Extension attribute. For example, # ldapsearch -x -H ldaps://<LDAP_SERVER> -b "" -s base -LLL supportedExtension | grep

  2. Create a user in eDirectory.

  3. Click Roles and Tasks > Passwords > Password Policies to create a password policy using the iManager password policy plug-in. For more information, see Creating Password Policies in the NetIQ eDirectory 8.8 SP8 Administration Guide.

  4. Assign the password policy to the user.

  5. Click Roles and Tasks > Passwords > Set Universal Password to set the UP.

  6. Modify the UP by using the ldappasswd utility.

    # ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell -a novell -s novell12

NOTE:You can request the eDirectory to generate a random password. For example, # ldappasswd -x -H ldaps://<LDAP_SERVER> -D cn=user1,o=novell -w novell12.