LDAP: Password Modify Extended Request


The Password Modify Extended Request is an LDAP extended operation which may be used to change passwords while requiring the existing password – which might be very important for security audits. The object identifier (OID) of the extended request is 1.3.6.1.4.1.4203.1.11.1.

Extended Operations

Extended operations, described in RFC 4511, are operations defined by documents at the IETF, or private to an implementation that allow for new operations to be defined that are not available in the protocol. Extended operations consist of a request-response pair encapsulated in which are the object identifier (a dotted-decimal representation) and data formatted as an octet string. Supported extended operation OIDs should be listed in the root DSE. LDAP clients should check the root DSE before using request controls or extended operations. For a discussion of LDAP programming practices, see the article “LDAP: Programming Practices”.

Example Code

The file PasswordModifyExtendedOperationDemo.java illustrates how to use the Password Modify Extended Request to change the password. Caveats:

  • The UnboundID LDAP SDK must be available on the CLASSPATH.
  • The server must support the password modify extended request
  • The existing password must be known
  • The password policy to which the test user is subject must allow the entry to change its own password
  • If the --newPassword command line option is not present, the server must generate a new password and return the new password in the Password Modify Extended Response

The example also uses connection pooling even though it is not necessary in this trivial example, but because it is a good practice to do so. The example can be executed with a command something like:

java -cp CLASSPATH \
 samplecode.PasswordModifyExtendedOperationDemo \
 --hostname hostname \
 --port port \
 --bindDn DN \
 --bindPassword existingPassword \
 --newPassword newPassword

In the above example invocation, if the existing password is specified correctly, the password of the specified DN is changed to newPassword. To have the server generate a password, use the following invocation:

java -cp CLASSPATH \
 samplecode.PasswordModifyExtendedOperationDemo \
 --hostname hostname \
 --port port \
 --bindDn DN \
 --bindPassword existingPassword

The result executing this command on my local test system:

[09/Dec/2011:07:34:04 -0500] The '--newPassword' option was
 not specified on the command line. The directory server
 must now generate a new password assuming the correct
 old password was specified with the '--bindPassword' option.
[09/Dec/2011:07:34:05 -0500] Result of the password modify
 extended request:
 PasswordModifyExtendedResult(resultCode=0 (success), messageID=6, generatedPassword='kfm10hdd')
 PasswordModifyExtendedOperationDemo has completed processing. The result code was: 0 (success)

The sample code, which is also available at PasswordModifyExtendedOperationDemo.java (click the filename to view).

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, Java, LDAP and tagged , , , , , , , . Bookmark the permalink.

2 Responses to LDAP: Password Modify Extended Request

  1. Ahmed Yehia says:

    Hello , thanks for your shared information .
    But I have question , is there is any way to reset password without having the old password , as if user forget his password and wants to reset it to new password ?

  2. Yes, if the server permits it, an LDAP client can set the value of the password attribute using a simple MODIFY request. Or, an administrator with sufficient rights can reset the password of another user. On the UnboundID Directory Server, resetting another users’ password requires the ‘password-reset’ privilege, as well as normal access controls. However, some professional-quality servers can be configured to require the existing password with the new password

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s