Update the password for a user in an LDAP directory server using the password modify extended operation (as defined in RFC 3062), a standard LDAP modify operation, or an Active Directory-specific modification.
Unless the password change method is explicitly specified (using the --passwordChangeMethod argument), this tool will attempt to automatically determine which method is the most appropriate for the target server using information provided in the server's root DSE. If the server advertises support for the password modify extended operation, then that method will be used. If it appears to be an Active Directory server, then an Active Directory-specific password change method will be selected, using a regular LDAP modify to update the unicodePwd attribute with a specially encoded value. Otherwise, a regular LDAP modify operation will be used to update the value of a specified password attribute.
The new password to set for the user may be specified in one of several ways. It may be directly provided on the command line, read from a specified file, interactively prompted from the user, or automatically generated by this tool. If the new password is not specified using any of those methods, and if the password is to be updated using the password modify extended operation, then the new password field of the request will be left blank to indicate that the server should generate a new password for the user and include it in the response to the client. If no new password is specified and some other password change method is selected, then the tool will exit with an error.
The current password for the user may also be specified. This is optional, although some servers may require a user to provide their current password when setting a new one. If a current password is provided (whether given as a command-line argument, read from a specified file, or interactively requested from the user), and if a regular LDAP modify operation is used to change the password, then the resulting modify request will include a delete of the current value and an add of the new value. If no current password is provided, then the modify request will replace any existing password(s) with the new value.
ldappasswordmodify --hostname ds.example.com --port 636 --useSSL \
--userIdentity u:jdoe --promptForCurrentPassword --promptForNewPassword
ldappasswordmodify --hostname ds.example.com --port 636 --useSSL \
--bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
--userIdentity uid=jdoe,ou=People,dc=example,dc=com \
--generateClientSideNewPassword --passwordChangeMethod ldap-modify
-V
--version
| Description | Display Directory Server version information |
-H
--help
| Description | Display general usage information |
--help-ldap
| Description | Display help for using LDAP options |
--help-sasl
| Description | Display help for using SASL options |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-h {host}
--hostname {host}
| Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
| Default Value | localhost |
| Required | Yes |
| Multi-Valued | Yes |
-p {port}
--port {port}
| Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
| Default Value | 389 |
| Required | Yes |
| Multi-Valued | No |
-D {dn}
--bindDN {dn}
| Description | The DN to use to bind to the directory server when performing simple authentication. |
| Required | No |
| Multi-Valued | No |
-w {password}
--bindPassword {password}
| Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
| Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
--promptForBindPassword
| Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
| Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
| Description | Use StartTLS when communicating with the directory server. |
--defaultTrust
| Description | Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it. |
-X
--trustAll
| Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
| Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
| Required | No |
| Multi-Valued | No |
-W {password}
--keyStorePassword {password}
| Description | The password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
--promptForKeyStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file. |
| Required | No |
| Multi-Valued | No |
-P {path}
--trustStorePath {path}
| Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
| Required | No |
| Multi-Valued | No |
-T {password}
--trustStorePassword {password}
| Description | The password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
--promptForTrustStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file. |
| Required | No |
| Multi-Valued | No |
--certNickname {nickname}
| Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
| Required | No |
| Multi-Valued | No |
--enableSSLDebugging
| Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'. |
-o {name=value}
--saslOption {name=value}
| Description | A name-value pair providing information to use when performing SASL authentication. |
| Required | No |
| Multi-Valued | Yes |
--useSASLExternal
| Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
| Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-a {dnOrAuthzID}
--userIdentity {dnOrAuthzID}
| Description | The identity for the user whose password should be changed. This may be a DN, or it may be an authorization identity in either the form 'dn:' followed by a user DN or 'u:' followed by a username. If neither this argument nor the --provideBindDNAsUserIdentity argument is provided, then the current authorization identity for the underlying connection will be assumed. |
| Required | No |
| Multi-Valued | No |
-A
--provideBindDNAsUserIdentity
| Description | Explicitly provide the bind DN as the value of the user identity field in the password modify extended request, rather than omitting that field. This argument only applies when changing passwords using the password modify extended operation, although the bind DN may be used as the target entry DN for modify requests if no alternate user identity is specified. |
--usernameAttribute {attributeName}
| Description | The name of the attribute that will be used to search for the user to update if the user identity is provided as a username rather than a DN, and if the password is to be updated with an LDAP modify operation rather than the password modify extended operation. This argument will be ignored if the authorization identity is provided as a DN or if password will be changed using the password modify extended operation. If this is not provided, then a default value of 'uid' will be used for non-Active Directory servers, and default values of 'samAccountName' and 'userPrincipalName' will be used for Active Directory. This argument may be provided multiple times to specify multiple user ID attributes, in which case the search will construct an OR filter to search across each of those attributes. The resulting search must match exactly one entry for the password change attempt to proceed. |
| Required | No |
| Multi-Valued | Yes |
-b {dn}
--searchBaseDN {dn}
| Description | The base DN to use when searching for the user to update. This will be ignored if the user identity is provided as a DN or if the password will be changed using the password modify extended operation. If this is not provided, the null DN will be used as the default search base DN. |
| Default Value | |
| Required | No |
| Multi-Valued | Yes |
-n {password}
--newPassword {password}
| Description | The new password to set for the target user. |
| Required | No |
| Multi-Valued | No |
-N {path}
--newPasswordFile {path}
| Description | The path to a file containing the new password to set for the target user. If this argument is provided, then the file must exist, and it must contain exactly one line with only the desired new password. |
| Required | No |
| Multi-Valued | No |
--promptForNewPassword
| Description | Interactively prompt for the new password to set for the target user. |
--generateClientSideNewPassword
| Description | Have this tool generate the new password for the target user. If this argument is provided, then the new password will be displayed before sending the request to the server. |
--generatedPasswordLength {length}
| Description | The number of characters to include in the generated client-side password. If this is not provided, then a default length of twelve characters will be used. |
| Upper Bound | 2147483647 |
| Default Value | 12 |
| Required | No |
| Multi-Valued | No |
--generatedPasswordCharacterSet {chars}
| Description | A set of characters that may be included in the generated client-side password. This may be provided multiple times to specify multiple character sets, in which case the generated password will include at least one character from each of the sets. If this is not provided, then the generated password will be a mix of lowercase ASCII letters, uppercase ASCII letters, ASCII digits, and a selected set of ASCII symbols. |
| Default Value | abcdefghijmnopqrstuvwxyz |
| Required | No |
| Multi-Valued | Yes |
-c {password}
--currentPassword {password}
| Description | The current password to provide when setting the new password. |
| Required | No |
| Multi-Valued | No |
-C {path}
--currentPasswordFile {path}
| Description | The path to a file containing the current password to provide when setting the new password. If this is provided, then the file must exist and it must contain exactly one line with only the user's current password. |
| Required | No |
| Multi-Valued | No |
--promptForCurrentPassword
| Description | Interactively prompt for the user's current password. |
--bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
| Description | Include the specified control in the bind request used to authenticate to the server. This may be provided multiple times to specify multiple bind request controls. |
| Required | No |
| Multi-Valued | No |
--useAuthorizationIdentityControl
| Description | Include the authorization identity request control in the bind request to indicate that the server should return the authorization identity that resulted from the bind. |
--usePasswordPolicyControlOnBind
| Description | Include the password policy request control (as described in draft-behera-ldap-password-policy) in the bind request used to authenticate to the server. |
--getAuthorizationEntryAttribute {attributeName}
| Description | Include the UnboundID-proprietary get authorization entry request control in the bind request to indicate that the bind response should include the entry for the authenticated user with the specified attribute. This argument may be provided multiple times to specify that multiple attributes from the user entry should be included. |
| Required | No |
| Multi-Valued | Yes |
--getUserResourceLimits
| Description | Include the UnboundID-proprietary get user resource limits request control in the bind request to indicate that the server should return information about resource limits (e.g., size limit, time limit, idle time limit, etc.) imposed for the user. |
-J {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
--updateControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
| Description | Include the specified control in the request used to update the user's password. This may be provided multiple times to specify multiple update controls. |
| Required | No |
| Multi-Valued | No |
--usePasswordPolicyControlOnUpdate
| Description | Include the password policy request control (as described in draft-behera-ldap-password-policy) in the request used to update the user's password. |
--noOperation
| Description | Include the LDAP no-operation request control (as described in draft-zeilenga-ldap-noop) to indicate that the server should validate that the password change would likely succeed, but that the user's password should not actually be changed. |
--getPasswordValidationDetails
| Description | Include the UnboundID-proprietary get password validation details request control in the request used to update the password. The corresponding response control will include information about the requirements that the server will impose for the target user and whether the provided new password satisfies each of those constraints. |
--retireCurrentPassword
| Description | Include the UnboundID-proprietary retire password request control in the request used to update the password. This will indicate that the server should continue to allow the user to authenticate with their former password (in addition to the new password) for a brief period of time. |
--purgeCurrentPassword
| Description | Indicate the UnboundID-proprietary purge password request control in the request used to update the password. This will indicate that the server should completely remove the former password from the user's entry, even if the server would have otherwise retired the former password for a brief period of time. |
--passwordUpdateBehavior {name=value}
| Description | Include the UnboundID-proprietary password update behavior request control in the request used to update the password to specify settings that the server should use when updating the password. Values of this argument must be in the form 'name=value', where the property name can be any one of the following: is-self-change, allow-pre-encoded-password, skip-password-validation, ignore-password-history, ignore-minimum-password-age, password-storage-scheme, and must-change-password. The value for each property should be either 'true' or 'false', with the exception of the storage-scheme property, whose value should be the name of the desired password storage scheme to use to encode the new password. This argument can be provided multiple times to specify multiple password update behaviors. |
| Required | No |
| Multi-Valued | Yes |
--useAssuredReplication
| Description | Include the UnboundID-proprietary assured replication request control to indicate that the update response should be delayed until the change has been sufficiently replicated to other servers. |
--assuredReplicationLocalLevel {level}
| Description | The local assurance level to use in the assured replication request control. If provided, the value should be one of 'none' (to indicate that the update response should not be delayed for replication to local servers), 'received-any-server' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one other local server), or 'processed-all-servers' (to indicate that the update response should be delayed until the change has been applied in all available local servers). If this is not specified, then the server will select an appropriate local assurance level. |
| Required | No |
| Multi-Valued | No |
--assuredReplicationRemoteLevel {level}
| Description | The remote assurance level to use in the assured replication request control. The value should be one of 'none' (to indicate that the update response should not be delayed for replication to remote servers), 'received-any-remote-location' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one server in at least one remote location), 'received-all-remote-locations' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one server in every remote location ), or 'processed-all-remote-servers' (to indicate that the update response should be delayed until the change has been applied by all available remote servers in all locations). If this is not specified, then the server will select an appropriate remote assurance level. |
| Required | No |
| Multi-Valued | No |
--assuredReplicationTimeout {timeout}
| Description | The timeout to use for assured replication processing. If provided, the value should be in the form of an integer followed by a time unit that is one of 'nanosecond', 'microsecond', 'millisecond', 'second', 'minute', 'hour', 'day', or 'week' (or one of their plurals or abbreviations). For example, values of '500 milliseconds', '500 ms', and '500ms' all specify a timeout of 500 milliseconds. If this is not specified, then the server will select an appropriate timeout. |
| Required | No |
| Multi-Valued | No |
--operationPurpose {purpose}
| Description | Include the UnboundID-proprietary operation purpose request control in the request sent to update the target user's password to provide additional information about the purpose for the request. |
| Required | No |
| Multi-Valued | No |
--passwordChangeMethod {password-modify-extended-operation|ldap-modify|active-directory}
| Description | The method to use to set the password. Allowed values are 'password-modify-extended-operation' (for the password modify extended operation as described in RFC 3062), 'ldap-modify' (for a regular LDAP modify operation targeting the specified password attribute), or 'active-directory' (for an Active Directory-specific password change mechanism). If this is not specified, then the tool will attempt to automatically determine the appropriate method. |
| Required | No |
| Multi-Valued | No |
--followReferrals
| Description | Automatically attempt to follow any referrals received when processing requests. |
--useAdministrativeSession
| Description | Use an administrative session to process the bind and update operations using a dedicated pool of worker threads. This may be useful when trying to update the server when all normal worker threads are busy processing other requests. |
-v
--verbose
| Description | Provide verbose output about the processing that the tool performs. |
--interactive
| Description | Launch the tool in interactive mode. |
--outputFile {path}
| Description | Write all standard output and standard error messages to the specified file instead of to the console. |
| Required | No |
| Multi-Valued | No |
--appendToOutputFile
| Description | Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten. |
--teeOutput
| Description | Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided. |
--propertiesFilePath {path}
| Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
| Required | No |
| Multi-Valued | No |
--generatePropertiesFile {path}
| Description | Write an empty properties file that may be used to specify default values for arguments. |
| Required | No |
| Multi-Valued | No |
--noPropertiesFile
| Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
| Description | Suppress output listing the arguments obtained from a properties file. |