Environment: OpenLDAP on Linux (CentOS, Fedora, Redhat or OEL), already configured the userpassword attribute.
Objective: to let users to change their LDAP userpassword attribute themselves.
Steps:
1. configure access control part in slapd.conf
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
by * none
# note: above 'by self write' and 'by anonymous auth' attibutes
are very important, otherwise the users cannot change password by
themselves.
access to attr=proxyAccess by self read by dn="cn=Manager,dc=dev,dc=domain,dc=com" write by * none access to * by dn="cn=Manager,dc=dev,dc=domain,dc=com" write by users read
2. user ldapmodify to change it.
- Method 1: use ldapmodify with Manager DN
[root@mars openldap]# more jephe.ldapmodify
dn: uid=jephe,ou=people,dc=dev,dc=domain,dc=com
changetype:modify
replace: userpassword
userpassword: {MD5}risfylFZSeXVT7IrjtlVdQ==
You can use command 'slappasswd -h {MD5}' to generate userpassword line above
New password: testing
Re-enter new password: testing
{MD5}risfylFZSeXVT7IrjtlVdQ==
- Method 2 : use ldapmodify with user own DN
Enter LDAP Password:
modifying entry "uid=jephe,ou=people,dc=dev,dc=domain,dc=com"
3. use ldappasswd to change it
- Method 3: use ldappasswd with Manager DN
Result: Success (0)
- Method 4: use ldappasswd with user own DN
Result: Success (0)