Ldappasswd with RootDN bind not working

ldap

I'm trying to change password for user jdoe using ldappasswd via RootDN bind. Executed command looks like

ldappasswd -H ldap://10.12.21.10 -x -D "CN=ldap_manager,CN=Users,DC=mycompany,DC=local" -w ldap_manager_pswd -s newpasswd "CN=Jane Doe,DC=mycompany,DC=local"

but it throws an error

Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090DA1, comment: Unknown extended request OID, data 0, v1db1

Bind works fine as I can execute ldapsearch

ldapsearch -H ldap://10.12.21.10 -x -D "CN=ldap_manager,CN=Users,DC=mycompany,DC=local" -w ldap_manager_pswd "CN=Jane Doe"

Any tips what I'm missing?

Best Answer

Just a few thoughts:

Does jdoe's collection of object classes support the field userPassword?
Do you have a password policy, which needs you to enter the old password when changing to a new one?
Is CN=ldap_manager,CN=Users,DC=mycompany,DC=local allowed (via access rules) to view and/or change userPassword fields (for the user)?

Curious about your thoughts on these points!

EDIT:

Do you use AD or OpenLDAP? Please check whether the version of software you use supports the LDAP Password Modify Extended Operation (see RFC 3062). I heard that some versions of AD do not support them.

Related Solutions

Php – Connect to a Windows Server 2008R2 using php, ldap, tls fails if server has NPS service

Found it!

I had to install my SSL certificate in IIS on DALCON2. I exported it from DALCON3 in .pfx format and imported it back. iisreset et voilà!

Windows – Setting up LDAP connection between CentOS and Windows server 2008

The error message is fairly straightforward:

text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this 
operation a successful bind must be completed on the connection., data 0

That means you need to authenticate before you can query the directory. A typical command line will look something like this:

ldapsearch -x -H ldaps://dc.example.com/ -D lars@example.com -W cn=lars

This connect using simple authentication (-x) to dc.example.com using LDAP over SSL (ldaps://). I am authenticating as lars@example.com and the command will prompt me for a password (-W). I am searching for records matching cn=lars.

You can also authenticate against AD using Kerberos. Assuming everything is set up correctly, that looks like:

$ kinit lars@example.com
Password for lars@EXAMPLE>COM: 
$ ldapsearch -H ldap://dc.example.com cn=lars

In either case, you generally want to create accounts specifically to act as bind credentials, rather than using an administrative or a user account.

It is possible to configure Active Directory to allow anonymous binds. It is also possible to set up something else -- e.g., OpenLDAP -- as an anonymous bind proxy for AD.

Best Answer

Related Solutions

Php – Connect to a Windows Server 2008R2 using php, ldap, tls fails if server has NPS service

Windows – Setting up LDAP connection between CentOS and Windows server 2008

Related Topic