.TH LDAPPASSWD 1 "5 December 1998" "LDAPPasswd" .SH NAME ldappasswd \- change the password of an LDAP entry .SH SYNOPSIS .B ldappasswd [\c .BI \-a \ passwdattribute\fR] [\c .BI \-b \ searchbase\fR] [\c .BI \-D \ binddn\fR] [\c .BI \-d \ debuglevel\fR] [\c .BR \-E ] [\c .BI \-e \ passwd\fR] [\c .BI \-g \ pwlen\fR] [\c .BI \-H \ none\fR\||\|\fIcrypt\fR\||\|\fImd5\fR\||\|\fIsmd5\fR\||\|\fIsha\fR\||\|\fIssha] [\c .BI \-h \ ldaphost\fR] [\c .BR \-K ] [\c .BR \-k ] [\c .BI \-l \ searchtime\fR] [\c .BR \-n ] [\c .BI \-P \ 2\fR\||\|\fI3\fR] [\c .BI \-p \ ldapport\fR] [\c .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR] [\c .BI \-t \ targetdn\fR] [\c .BR \-v ] [\c .BR \-W ] [\c .BI \-w \ passwd\fR] [\c .BI \-z \ searchsize\fR] [\fIfilter\fR] .SH DESCRIPTION .B ldappasswd is a tool to modify the password of one or more LDAP entries. Multiple entries can be specified using a search filter. It is neither designed nor intended to be a replacement for .BR passwd (1) and should not be installed as such. .LP .B ldappasswd works by specifying a single target dn or by using a search filter. Matching entries will be modified with the new password. If the new password is not specified on the command line, the user will be prompted to enter it. The new password will be hashed using .I crypt or any other supported hashing algorithm. For hashing algorithms other than .I crypt or .IR none , the stored password will be base64 encoded. Salts are only generated for crypt and are based on the least significant bits of the current time and other psuedo randomness. .SH OPTIONS .TP .BI \-a \ passwdattribute Specify the LDAP attribute to change. The default is "userPassword". .TP .BI \-b \ searchbase Use \fIsearchbase\fP as the starting point for the search instead of the default. .TP .B \-H \fInone\fR\||\|\fIcrypt\fR\||\|\fImd5\fR\||\|\fIsmd5\fR\||\|\fIsha\fR\||\|\fIssha Specify the hashing algorithm used to store the password. The default is .IR crypt . .TP .BI \-D \ binddn Use \fIbinddn\fP to bind to the X.500 directory. \fIbinddn\fP should be a string-represented DN as defined in RFC 1779. .TP .BI \-d \ debuglevel Set the LDAP debugging level to \fIdebuglevel\fP. .B ldappasswd must be compiled with LDAP_DEBUG defined for this option to have any effect. .TP .BI \-g \ pwlen Auto-generate passwords of length \fIpwlen\fR. Passwords will be displayed when using verbose, .BR -vvv . .TP .BI \-h \ ldaphost Specify an alternate host on which the ldap server is running. .TP .B \-K Same as -k, but only does step 1 of the kerberos bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your kerberos servers. .TP .B \-k Use Kerberos authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. .B ldappasswd must be compiled with KERBEROS defined for this option to have any effect. .TP .BI \-l \ searchtime Specify a maximum query time in seconds. .TP .B \-n Make no modifications. (Can be useful when used in conjunction with .BR \-v \ or .BR \-d ) .TP .BI \-P \ 2\fR\||\|\fI3 Specify the LDAP protocol version to use. .TP .BI \-p \ ldapport Specify an alternate port on which the ldap server is running. .TP .BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR Specify the scope of the search. The default is .IR base . .TP .B \-t \fR[\fItargetdn\fR] Specify the target dn to modify. If an argument is not given, the target dn will be the binddn. .TP .B \-v The more v's the more verbose. .TP .BI \-W Prompt for simple authentication. This is used instead of specifying the password on the command line. .TP .BI \-w \ passwd Use \fIpasswd\fP as the password for simple authentication. .TP .BI \-z \ searchsize Specify a maximum query size. .SH AUTHOR David E. Storey .SH "SEE ALSO" .BR ldapadd (1), .BR ldapdelete (1), .BR ldapmodrdn (1), .BR ldapsearch (1)