How to change expired LDAP user password under linux?

linux ldap authentication password openldap

24,299

Solution 1

You are missing a few attributes from your ldappasswd

This is just an example

ldappasswd -x -h <host> -D "<rootdn>" -w <rootdn_password> -s <new_password_for_user> "uid=user,ou=People,dc=example,dc=com"

Probably you are using some policies (some of them can be kept in LDAP - for instance you got something like that in your LDAP server configruation)

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout

Some of them can be kept locally (look for moduleload ppolicy.la in LDAP server configuration).

Probably you are also missing ability to allow users to change thier passwords without god's power. You can do it by resetting PAM or (easier way) to allow users to change thier userPassword attribute without authentication.

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read

Whenever you need more precise please let me know :)

Solution 2

Are you using shadow* attributes on the server? If yes make sure shadowlastchange attribute is writable by the user(s), otherwise the userpassword attribute get updated and shadowLastchange remains un-changed, on next attempt, the client tools calculate password age using the old shadowLastChange value and think the password needs to be changed.

24,299

Andrey Sapegin

Updated on September 18, 2022

Comments

Andrey Sapegin over 1 year
can somebody give an advice how to change the LDAP password already expired?

I have an LDAP user and the password for this user is expired:
```
# su user
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
```
then I can change the password using 'passwd'. But if I try to login once again, the message still appears. If I try the ssh login, I also get the following message: "You are required to change your password immediately (password aged)"

Then I change the password. But if I try to login once again, the message remains...

Thank you in advance.

P.S. I have also tried:
```
user@server$ ldappasswd

Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
```
Andrey Sapegin over 11 years

the ldappasswd (with all parameters you suggested) runs successfully. After it I can authorise in LDAP with a new password: ldapsearch -u -v -x -h localhost -D uid=user,ou=Users,dc=aaa,dc=bbb -W However, 'su user' still says the same: You are required to change your password immediately (password aged)
Piotr Kieszczyński over 11 years

Please execute chage -l user
Andrey Sapegin over 11 years

I assume I need to change the expiration date in OpenLDAP rather than with 'chage', because 'chage' says "User is not in /etc/passwd". But I have no idea how... Some good OpenLDAP manual would be helpful
Andrey Sapegin over 11 years

yes, I checked, attributes are presented. But can you advice me please, how can I check if attributes are writable / update them?
Najmuddin over 11 years

Please make sure you use an acl that allows users to write shadowLastChange attribute. For eg: access to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=people,dc=example,dc=com" attrs=shadowLastChange by self write by * read access to dn.subtree="dc=example,dc=com" by * read
Najmuddin over 11 years

@user1075993 My previous comment includes a sample acl (sorry.. it's not formatted correctly.. I dont see format options in the comment box) You can always check whether an attribute is writable or not by using ldapmodify utility.