How can a user change his password in LDAP

  • 2953444
  • 20-Aug-1999
  • 20-Aug-1999
  • 3

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Symptoms

A user is not able to change his own password using standard LDAP calls to a NLDAP server.

Cause

The problem is that only admin can change someone's password without providing the existing password. The user cannot change his own password without providing his current password *and* the new password. In Moab and SKADS, this problem doesn't allow a user to change his own password through LDAP (while admin can). In NDS8 Update 1, an LDAP modify request with a delete of the userpassword attribute (providing the current value) *and* an add of the userpassword attribute with the new value will allow a user to change his own password.

Very Important to notice is that actually the Novell LDAP implementation has a higher security than the Netscape implementation. For a Netscape Directory server one is not required to know the original password - only for the bind. This however means that anybody can walk to an unattended workstation and change the password.
Actually the userpassword is not stored as such in NDS. It is stored as an RSA public/private keypair in order to guarantee the highest security possible.

Solutions

The current fix will work ONLY for a NetWare 5 server running NDS 8 Update 1 or higher. (DS.NLM 8.17+) NLDAP 3.12. It has not been ported back to NetWare 5, legacy NDS.

The example LDIF file attached will work on a NetWare NLDAP server. Novell is working on a LDAP proposal in order to accomplish this with one LDAP call.

dn:cn=********,ou=xxx,ou=yyy,o=zzz
changetype: modify
delete: userpassword
userpassword: *******
-
add: userpassword
userpassword: ********

Feedback service temporarily unavailable. For content questions or problems, please contact Support.