Sun and OracleChannel SunHow to BuyLog InPortuguês brasileiro

Sun Java System Directory Server Enterprise Edition 6.0 Man Page Reference
  Procure somente este livro
Pesquisar Ajuda
Contidos dentro
Localizar Mais Documentação
Destaques de Recursos de Suporte
 Fazer download desta apostila em PDF (3586 KB)

ldappasswd(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO

NAME

    ldappasswd– change the password of an LDAP entry

SYNOPSIS

    /usr/sfw/bin/ldappasswd [options] [auth-id]
    install-path/dsrk6/bin/ldappasswd [options] [auth-id]

DESCRIPTION

    The ldappasswd command changes the password of an LDAP entry, identified by an auth-id such as uid=bjensen,ou=people,dc=example,dc=com, stored by a directory server.

    The ldappasswd command relies on the Password Modify Extended Operation (OID 1.3.6.1.4.1.4203.1.11.1).

OPTIONS

    The following options are supported:

    -0

    Ignore LDAP library version mismatches.

    When this option is omitted, the default behavior is to assert that the revision number of the LDAP API be greater than or equal to that used to compile the tool. Also, if the library and the tool have the same vendor name, the tool will assert that the vendor version number of the API be greater than or equal to that used to compile the tool. Revision and version numbers are based on the contents of the LDAPAPIInfo structure defined in <ldap.h> or header files included by <ldap.h>.

    -3

    Check host names in SSL certificates.

    -A

    Prompt for old password.

    -D bindDN

    Use the specified bind DN to authenticate to the directory server.

    If the bind DN and its password are omitted, the ldappasswd command binds anonymously.

    -E

    Request that the directory expose (report) the bind identity.

    -H
    -help
    --help
    -?

    Display usage information.

    -I filename

    Read SSL key password for the client key database specified using the -P option from filename.

    The default is key3.db.

    -J controloid[:criticality[:value|::base64value|:<fileurl]]

    Use the specified control OID.

    The criticality, a boolean, is false by default.

    An LDAP control can be associated with a value. Proxy authorization takes a proxy authorization ID, for example, passed with the control OID, and criticality. If a value is necessary you specify it using value, base64value, or <fileurl.

    -K pathname

    Use the SSL key database located in pathname, the full path to the key database file.

    The default is to search for the key database file, key3.db, in the directory specified by the -P option.

    -M

    Manage referrals, modifying the entry containing the referral instead of the entry obtained by following the referral.

    -N certificate

    Use the specified certificate for certificate-based SSL client authentication, for example: -N "Client-Cert", where Client-Cert is the subject name of the user certificate.

    -O limit

    Follow at maximum limit referral hops.

    Default is 5.

    -P pathname

    Use the SSL certificate database located in the specified file system directory.

    The default is to search for the certificate database file, cert8.db, in the current directory.

    -R

    Do not follow referrals automatically.

    -S

    Prompt for the new password.

    -T filename

    Read the new password from the specified file.

    -V n

    Use LDAP protocol version n, where n is 2 or 3. Default is 3.

    -W -

    Prompt for the password for the client key database specified using the -P option.

    The -W option is required for certificate-based client authentication.

    -W password

    Specify the password for the client key database specified using the -P option.

    The -W option is required for certificate-based client authentication.

    -Y proxydn

    Use the rights of the entry having the specified DN for performing LDAP operations. When using this option, you must also specify how to bind before you assume the rights of the proxy. Thus, when using simple authentication, you would also use the -D and -w options with this option.

    Before proxy authentication can work in Directory Server, you must set up the appropriate access control instructions.

    -Z

    Use SSL to provide certificate-based client authentication.

    The -Z option requires the -N and -W options and any other SSL options needed to identify the certificate and the key database.

    -ZZ

    Use start TLS when possible to connect to the directory.

    -a password

    Use the specified old password.

    -h host

    Contact the LDAP server on the specified host, which may be a host name or an IP address. Enclose IPv6 addresses in brackets ([]) as described in RFC 2732.

    For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h [::ffff:192.168.0.99]. Notice the brackets.

    When using GSSAPI with Directory Server, specify the host as a fully-qualified host name which matches the value of the nsslapd-localhost attribute on the cn=config entry. The GSSAPI authentication process requires that the host name provided by the client match the one provided by the server.

    The default is localhost.

    -i charset

    Use the specified character set to override the value of the LANG environment variable. This option is useful, as the command converts certain arguments you specify to UTF-8 before sending the request to the server. The following arguments are converted: base DN, bind DN, LDAP filter, and password.

    You can prevent the command from converting passwords by using the -k option.

    Examples of charset values include ISO8859-1, ISO8859-15, ibm-1275, and windows-1251.

    -j filename

    Read the bind password for simple authentication from the specified file.

    -k

    Do not convert the passwords to UTF-8.

    -m pathname

    Use the security module database located in the specified file system directory.

    Use the -m option if the security module database is in a different directory from the certificate database itself.

    -n

    Show what would be done, but do not actually do it.

    -o attrname=attrvalue

    Use the specified attribute values when performing SASL authentication.

    The following attrname arguments are supported:

    authid

    Use the specified authentication identity.

    authzid

    Use the specified authorization identity.

    mech

    Request the specified SASL mechanism for the bind.

    realm

    Use the specified realm to complete the bind.

    secProp

    Use the specified security level.

    The attrvalue is a valid value corresponding to the attrname you specify.

    -p port

    Contact the LDAP server on the specified port.

    The default is 389 (636 if SSL is used).

    -s password

    Use the specified new password.

    -t filename

    Read the old password from the specified file.

    -v

    Run in verbose mode, displaying diagnostics on standard output.

    -w

    Prompt for the bind password for simple authentication.

    -w password

    Use the specified bind password for simple authentication.

EXAMPLES

    Examples in this section use the following conventions:

    • The directory server is located on a system named host.

    • The directory server supports the Password Modify Extended Operation (OID 1.3.6.1.4.1.4203.1.11.1)

    • The directory server listens on port number 389, the default for non-SSL traffic.

    • The directory server listens on port number 636, the default for SSL traffic. SSL is enabled.

    Example 1 Changing Your User Password

    The following command lets Barbara Jensen change her own user password, connecting over simple authentication:


    $ ./ldappasswd -h host -D uid=bjensen,ou=people,dc=example,dc=com \
-j old.pwd -T new.pwd -t old.pwd uid=bjensen,ou=people,dc=example,dc=com
ldappasswd: password successfully changed
$
    Example 2 Changing The Password For Another User

    The following command lets Kirsten Vaughan change Barbara Jensen’s password, connecting over simple authentication:


    $ ./ldappasswd -h host -D uid=kvaughan,ou=people,dc=example,dc=com \
-w - -A -S uid=bjensen,ou=people,dc=example,dc=com
Old Password: 
New Password: 
Re-enter new Password: 
Enter bind password:
ldappasswd: password successfully changed
$
    Example 3 Using Server Authentication

    The following command uses server authentication during the bind, where the server only accepts binds by clients with trusted certificates. Notice only the -P option is used without other SSL-related options.


    $ ./ldappasswd -h host -p 636 -P /home/bjensen/security \
-D "uid=bjensen,ou=People,dc=example,dc=com" -w - -A -S -Z \
uid=bjensen,ou=People,dc=example,dc=com
Old Password: 
New Password: 
Re-enter new Password: 
Enter bind password:
ldappasswd: password successfully changed
$
    Example 4 Using Client Authentication

    The following command uses client authentication during the bind, where the server only accepts binds by clients with trusted certificates, and the client must sign the certificate with a password-protected private key. Notice the options used in this example.


    $ ./ldappasswd -h host -p 636 -A -S -P /home/bjensen/security \
-N "bjscert" -W keypassword uid=bjensen,ou=People,dc=example,dc=com
Old Password:
New Password:
Re-enter new Password:
ldappasswd: password successfully changed
$

EXIT STATUS

    The exit status returned reflects the return values of the underlying functions used, which may depend on return values sent by the server. Common exit status codes follow:

    0

    Successful completion; LDAP_SUCCESS; 0x00.

    1

    Server encountered errors while processing the request; LDAP_OPERATIONS_ERROR; 0x01.

    2

    Server encountered errors, such as a BER-decoding error, while processing the request; LDAP_PROTOCOL_ERROR; 0x02.

    10

    Entry to modify belongs to an entry handled by neither server, and the referral URL identifies another server that handles the entry; LDAP_REFERRAL; 0x0a.

    32

    Authentication ID belongs to an entry not handled by the server, and no referral URL is available for the entry; LDAP_NO_SUCH_OBJECT; 0x20.

    50

    Bind DN user does not have permission to read the entry from the directory; LDAP_INSUFFICIENT_ACCESS; 0x32.

    53

    Directory does not allow this user to perform this operation; LDAP_UNWILLING_TO_PERFORM; 0x35.

    81

    One of the directories did not respond to the request, or the connection was lost; LDAP_SERVER_DOWN; 0x51.

    83

    The request could not be BER-encoded; LDAP_ENCODING_ERROR; 0x53.

    84

    A result could not be decoded; LDAP_DECODING_ERROR; 0x54.

    89

    An option or argument is not valid; LDAP_PARAM_ERROR; 0x59.

    91

    A specified host name or port is not valid; LDAP_CONNECT_ERROR; 0x5b.

    92

    At least one server supports only LDAPv2, and the -V 2 option was not used, or the -V 2 option was used, but the server no longer supports LDAP v2; LDAP_NOT_SUPPORTED; 0x5c.

ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

     ATTRIBUTE TYPE ATTRIBUTE VALUE
     Availability SUNWldapcsdk-tools
     Stability Level Evolving

SEE ALSO

    ldapcmp(1), ldapcompare(1), ldapdelete(1), ldapmodify(1), ldapsearch(1)

DSEE 6.0  Last Revised September 11, 2006

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO