Managing the Password PolicyChapter 7 User Account Management 291For more information on how to use ldappasswd utility, see the OpenLDAPdocumentation at http://www.openldap.org, or type man ldappasswd in thecommand-line for the ldappasswd manpage.To modify an entry’s password, run ldappasswd like any other LDAP operation. Itis not necessary to specify a user if the account is the same as that given in thebindDN. For example:./ldappasswd -H ldaps://server.example.com:636 -ZZ -P -K/export/servers/alias/key3.db -D"uid=jsmith,ou=People,dc=example,dc=com" -w oldpassword -aoldpassword -s newpasswordTo change the password on an entry other than the one specified in the bindcredentials, run ldappasswd as shown below, adding the user DN to the operationand providing separate credentials, as follows:ldappasswd -H ldaps://server.example.com:636 -ZZ -P -K/export/servers/alias/key3.db -D "cn=Directory Manager" -wrootpassword -a oldpassword -s newpassword"uid=jsmith,ou=People,dc=example,dc=com"Access control is enforced for the password change operation. If the bindDN doesnot have rights to change the specified password, the operation will fail with an“Insufficient rights” error.NOTE This operation supports Start TLS encryption (-ZZ[Z]), and youmust use a secure connection for the password change operation.NOTE If your certificates are either self-signed or are issued by a certificateauthority not trusted by the client application, then you may need tocreate a configuration file which contains the option TLS_REQCERTnever, which suppresses certificate verification, or TLS_CACERT/path/to/cacert.pem, which specifes the path to you CAcertificate. Set the LDAPConf environment variable to this file.
