-.TH LDAPPASSWD 1 "20 April 2000" "LDAPPasswd"
+.TH LDAPPASSWD 1 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
ldappasswd \- change the password of an LDAP entry
.BR \-A ]
[\c
.BI \-a \ oldPasswd\fR]
-.BI \-D \ binddn\fR
+[\c
+.BI \-t \ oldpasswdfile\fR]
+[\c
+.BI \-D \ binddn\fR]
[\c
.BI \-d \ debuglevel\fR]
[\c
+.BI \-H \ ldapuri\fR]
+[\c
.BI \-h \ ldaphost\fR]
[\c
.BR \-n ]
[\c
.BI \-s \ newPasswd\fR]
[\c
+.BI \-T \ newpasswdfile\fR]
+[\c
.BR \-v ]
[\c
.BR \-W ]
[\c
.BI \-w \ passwd\fR]
[\c
-.BR \-E[E] ]
+.BI \-y \ passwdfile\fR]
+[\c
+.BR \-O \ security-properties ]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
[\c
-.BR \-I[I] ]
+.BI \-U \ authcid\fR]
[\c
-.BI \-U \ username\fR]
+.BI \-R \ authcid\fR]
+[\c
+.BR \-x ]
[\c
.BI \-X \ authzid\fR]
[\c
+.BI \-R \ realm\fR]
+[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
+[\c
+.IR user ]
.SH DESCRIPTION
.B ldappasswd
is a tool to set the password of an LDAP user.
-It is neither designed nor intended to be a replacement for
-.BR passwd (1)
-and should not be installed as such.
+.B ldappasswd
+uses the LDAPv3 Password Modify (RFC 3062) extended operation.
.LP
.B ldappasswd
-sets the password of associated with the user. If the new
-password is not specified on the command line or the user
+sets the password of associated with the user [or an optionally
+specified
+.IR user ].
+If the new
+password is not specified on the command line and the user
doesn't enable prompting, the server will be asked to generate
a password for the user.
+.LP
+.B ldappasswd
+is neither designed nor intended to be a replacement for
+.BR passwd (1)
+and should not be installed as such.
.SH OPTIONS
.TP
.BI \-A
.BI \-a \ oldPasswd
Set the old password to \fIoldPasswd\fP.
.TP
+.BI \-t \ oldPasswdFile
+Set the old password to the contents of \fIoldPasswdFile\fP.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
.BI \-D \ binddn
-Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should
-be a string-represented DN as defined in RFC 2253.
-This flag is not optional. The user DN will be used if the
-bind DN is not provided.
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
.TP
.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
.B ldappasswd
must be compiled with LDAP_DEBUG defined for this option to have any effect.
.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
+Deprecated in favor of -H.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of -H.
.TP
.B \-n
Do not set password. (Can be useful when used in conjunction with
.BI \-s \ newPasswd
Set the new password to \fInewPasswd\fP.
.TP
-.BI \-p \ ldapport
-Specify an alternate port on which the ldap server is running.
+.BI \-T \ newPasswdFile
+Set the new password to the contents of \fInewPasswdFile\fP.
.TP
.B \-v
Increase the verbosity of output. Can be specified multiple times.
.BI \-w \ passwd
Use \fIpasswd\fP as the password to bind with.
.TP
-.B \-E[E]
-Requset the use of SASL privacy (encryption). If the server allows it, data
-sent between the client and the server will be encrypted. If the server
-requires the use of encryption and this flag is not specified, the command
-will fail. If you use
-.B \-EE\c
-, the command will fail if the server does not support encryption.
-.B \-E[E]
-implies
-.B \-I[I]
-.TP
-.B \-I[I]
-Request the use of SASL integrity checking. It protects data sent between the
-client and the server from being modified along the way, but it does not
-prevent sniffing. If the server requires the use of integrity checking and
-this flag is not specified, the command will fail.If you use
-.B \-II\c
-, the command will fail if the server does not support this function.
-.TP
-.BI \-U \ username
-Specify the username for SASL bind. The syntax of the username depends on the
-actual SASL mechanism used.
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
.TP
.BI \-X \ authzid
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: <distinguished name>
or
-.B u:\c
-.I <username>
+.BI u: <username>\fP.
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
.TP
.B \-Z[Z]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+.BR \-ZZ ,
+the command will require the operation to be successful
.SH SEE ALSO
-.BR ldap_bind (3)
+.BR ldap_sasl_bind (3),
+.BR ldap_extended_operation (3),
+.BR ldap_start_tls_s (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project