HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

291

292

293

294

295

296

297

298

299

300

ldappasswd -h hostname -p secure_port -Z -P /path/to/cert8.db -D bindDN

-w bindPassword [-a oldPassword] -s newPassworduser

Table 33 ldappasswd options

DescriptionOption

Gives the host name of the Directory Server.-h

Gives the port number of the Directory Server. Because SSL is required for password change

operations, this is usually give the TLS/SSL port of the Directory Server. With the -ZZ or -ZZZ for

Start TLS, this can be the standard port.

-p

Requires SSL for the connection. A secure connection is required for the password change operation.

NOTE:

ldappasswd also supports Start TLS encryption (-ZZ[Z]).

-Z

Gives the full path to the certificate database that contains the CA certificate of the CA that issued

the Directory Server client certificate. If the ldappasswd command is run on the same machine

-P

that the Directory Server is installed on, this can be

/etc/opt/dirsrv/slapd-instance_name/cert8.db. If this is not given, the default is the

current directory.

Gives the bind DN.-D

Gives the password for the bind DN.-w

Optional. Gives the old password, which is being changed.-a

Sets the new password.-s

To use Start TLS, which runs the command on a non-secure port, run ldappasswd with the

-ZZ option and the standard LDAP port number. The password extended change operation has

the following format:

ldappasswd -h hostname -p standard_port -ZZ -P /path/to/cert8.db -D bindDN

-w bindPassword -s newPassworduser [-a oldPassword]

Use the -ZZZ for additional certificate host name validation.

To modify an entry's password, run ldappasswd like any other LDAP operation. It is not necessary

to specify a user if the account is the same as that given in the bind DN. For example:

ldappasswd -h ldap.example.com -p 389 -ZZ

-D "uid=jsmith,ou=People,dc=example,dc=com"

-w secret -s newpassword

To change the password on an entry other than the one specified in the bind credentials, run

ldappasswd as shown below, adding the user DN to the operation and providing separate

credentials, as follows:

ldappasswd -h server.example.com -p 389 -ZZ -D "cn=Directory Manager"

-w secret -s newpassword "uid=jsmith,ou=People,dc=example,dc=com"

Access control is enforced for the password change operation. If the bind DN does not have rights

to change the specified password, the operation will fail with an Insufficient rights error.

7.1.4 Configuring the account lockout policy

The lockout policy works in conjunction with the password policy to provide further security. The

account lockout feature protects against hackers who try to break into the directory by repeatedly

trying to guess a user's password. The password policy can be set so that a specific user is locked

out of the directory after a given number of failed attempts to bind.

Configuring the account lockout policy is described in the following sections:

• “Configuring the account lockout policy using the console” (page 299)

• “Configuring the account lockout policy using the command line” (page 299)

298 Managing User Authentication