How to change expired LDAP user password under linux?
Solution 1
You are missing a few attributes from your ldappasswd
This is just an example
ldappasswd -x -h <host> -D "<rootdn>" -w <rootdn_password> -s <new_password_for_user> "uid=user,ou=People,dc=example,dc=com"
Probably you are using some policies (some of them can be kept in LDAP - for instance you got something like that in your LDAP server configruation)
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
Some of them can be kept locally (look for moduleload ppolicy.la
in LDAP server configuration).
Probably you are also missing ability to allow users to change thier passwords without god's power. You can do it by resetting PAM or (easier way) to allow users to change thier userPassword attribute without authentication.
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
Whenever you need more precise please let me know :)
Solution 2
Are you using shadow* attributes on the server? If yes make sure shadowlastchange attribute is writable by the user(s), otherwise the userpassword attribute get updated and shadowLastchange remains un-changed, on next attempt, the client tools calculate password age using the old shadowLastChange value and think the password needs to be changed.
Related videos on Youtube
Andrey Sapegin
Updated on September 18, 2022Comments
-
Andrey Sapegin over 1 year
can somebody give an advice how to change the LDAP password already expired?
I have an LDAP user and the password for this user is expired:
# su user You are required to change your password immediately (password aged) su: Authentication token is no longer valid; new one required (Ignored)
then I can change the password using 'passwd'. But if I try to login once again, the message still appears. If I try the ssh login, I also get the following message: "You are required to change your password immediately (password aged)"
Then I change the password. But if I try to login once again, the message remains...
Thank you in advance.
P.S. I have also tried:
user@server$ ldappasswd Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
-
Andrey Sapegin over 11 yearsthe ldappasswd (with all parameters you suggested) runs successfully. After it I can authorise in LDAP with a new password: ldapsearch -u -v -x -h localhost -D uid=user,ou=Users,dc=aaa,dc=bbb -W However, 'su user' still says the same: You are required to change your password immediately (password aged)
-
Piotr Kieszczyński over 11 yearsPlease execute
chage -l user
-
Andrey Sapegin over 11 yearsI assume I need to change the expiration date in OpenLDAP rather than with 'chage', because 'chage' says "User is not in /etc/passwd". But I have no idea how... Some good OpenLDAP manual would be helpful
-
Andrey Sapegin over 11 yearsyes, I checked, attributes are presented. But can you advice me please, how can I check if attributes are writable / update them?
-
Najmuddin over 11 yearsPlease make sure you use an acl that allows users to write shadowLastChange attribute. For eg: access to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=people,dc=example,dc=com" attrs=shadowLastChange by self write by * read access to dn.subtree="dc=example,dc=com" by * read
-
Najmuddin over 11 years@user1075993 My previous comment includes a sample acl (sorry.. it's not formatted correctly.. I dont see format options in the comment box) You can always check whether an attribute is writable or not by using ldapmodify utility.