-.TH LDAPPASSWD 1 "5 December 1998" "LDAPPasswd"
+.TH LDAPPASSWD 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
ldappasswd \- change the password of an LDAP entry
.SH SYNOPSIS
.B ldappasswd
[\c
-.BI \-a \ passwdattribute\fR]
+.BR \-A ]
[\c
-.BI \-b \ searchbase\fR]
+.BI \-a \ oldPasswd\fR]
[\c
-.BI \-c \ none\fR\||\|\fIcrypt\fR\||\|\fImd5\fR\||\|\fIsha\fR]
+.BI \-t \ oldpasswdfile\fR]
[\c
.BI \-D \ binddn\fR]
[\c
.BI \-d \ debuglevel\fR]
[\c
-.BI \-h \ ldaphost\fR]
+.BI \-H \ ldapuri\fR]
[\c
-.BI \-l \ searchtime\fR]
+.BI \-h \ ldaphost\fR]
[\c
-.B \-n\fR]
+.BR \-n ]
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR]
+.BR \-S ]
+[\c
+.BI \-s \ newPasswd\fR]
+[\c
+.BI \-T \ newpasswdfile\fR]
+[\c
+.BR \-v ]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BR \-O \ security-properties ]
[\c
-.BR \-t \ [\fItargetdn\fR]\ ]
+.BR \-I ]
[\c
-.B \-v\fR]
+.BR \-Q ]
[\c
-.BI \-W \ newpasswd\fR]
+.BI \-U \ authcid\fR]
[\c
-.BR \-w \ [\fIpasswd\fR] ]
+.BI \-R \ realm\fR]
[\c
-.BI \-z \ searchsize\fR]
-[\fIfilter\fR]
+.BR \-x ]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z[Z] ]
+[\c
+.IR user ]
.SH DESCRIPTION
.B ldappasswd
-is a tool to modify the password of one or more LDAP entries.
-Multiple entries can be specified using a search filter.
-It is neither designed nor intended to be a replacement for
-.BR passwd (1)
-and should not be installed as such.
+is a tool to set the password of an LDAP user.
+.B ldappasswd
+uses the LDAPv3 Password Modify (RFC 3062) extended operation.
.LP
.B ldappasswd
-works by specifying a single target dn or by using a search filter.
-Matching entries will be modified with the new password.
-If the new password is not specified on the command line, the user
-will be prompted to enter it.
-The new password will be hashed using
-.I crypt
-or any other supported hashing algorithm.
-For hashing algorithms other than
-.I crypt
-or
-.IR none ,
-the stored password will be base64 encoded.
-Salts are only generated for crypt and are based on the least
-significant bits of the current time and other psuedo randomness.
+sets the password of associated with the user [or an optionally
+specified
+.IR user ].
+If the new
+password is not specified on the command line and the user
+doesn't enable prompting, the server will be asked to generate
+a password for the user.
+.LP
+.B ldappasswd
+is neither designed nor intended to be a replacement for
+.BR passwd (1)
+and should not be installed as such.
.SH OPTIONS
.TP
-.BI \-a \ passwdattribute
-Specify the LDAP attribute to change. The default is "userPassword".
+.BI \-A
+Prompt for old password.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-a \ oldPasswd
+Set the old password to \fIoldPasswd\fP.
.TP
-.BI \-b \ searchbase
-Use \fIsearchbase\fP as the starting point for the search instead of
-the default.
+.BI \-t \ oldPasswdFile
+Set the old password to the contents of \fIoldPasswdFile\fP.
.TP
-.B \-c \fInone\fR\||\|\fIcrypt\fR\||\|\fImd5\fR\||\|\fIsha\fR
-Specify the hashing algorithm used to store the password. The default is
-.IR crypt .
+.B \-x
+Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
-Use \fIbinddn\fP to bind to the X.500 directory. \fIbinddn\fP should be
-a string-represented DN as defined in RFC 1779.
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
.TP
.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
.B ldappasswd
must be compiled with LDAP_DEBUG defined for this option to have any effect.
.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
+Deprecated in favor of -H.
.TP
-.BI \-l \ searchtime
-Specify a maximum query time in seconds.
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of -H.
.TP
.B \-n
-Make no modifications. (Can be useful when used in conjunction with
+Do not set password. (Can be useful when used in conjunction with
.BR \-v \ or
.BR \-d )
.TP
-.BI \-p \ ldapport
-Specify an alternate port on which the ldap server is running.
+.BI \-S
+Prompt for new password.
+This is used instead of specifying the password on the command line.
.TP
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR
-Specify the scope of the search. The default is
-.IR base .
+.BI \-s \ newPasswd
+Set the new password to \fInewPasswd\fP.
.TP
-.B \-t \fR[\fItargetdn\fR]
-Specify the target dn to modify.
-If an argument is not given, the target dn will be the binddn.
+.BI \-T \ newPasswdFile
+Set the new password to the contents of \fInewPasswdFile\fP.
.TP
.B \-v
-The more v's the more verbose.
+Increase the verbosity of output. Can be specified multiple times.
+.TP
+.BI \-W
+Prompt for bind password.
+This is used instead of specifying the password on the command line.
.TP
-.BI \-W \ newpasswd
-Specify the new password.
-If this argument is not given, the user will be prompted to enter the new password.
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password to bind with.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: <distinguished name>
+or
+.BI u: <username>\fP.
.TP
-.BR \-w \ [\fIpasswd\fR]
-Use \fIpasswd\fP as the password for simple authentication.
-If \fIpasswd\fR is not supplied, the user will be prompted to enter one.
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
.TP
-.BI \-z \ searchsize
-Specify a maximum query size.
+.B \-Z[Z]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+.BR \-ZZ ,
+the command will require the operation to be successful
+.SH SEE ALSO
+.BR ldap_sasl_bind (3),
+.BR ldap_extended_operation (3),
+.BR ldap_start_tls_s (3)
.SH AUTHOR
-David E. Storey <dave@tamos.net>
-.SH "SEE ALSO"
-.BR ldapadd (1),
-.BR ldapdelete (1),
-.BR ldapmodrdn (1),
-.BR ldapsearch (1)
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
projects / openldap / blobdiff