2

I have installed a directory server but I can't change the password of user. I have used this command:

[root@xxxx]# ldappasswd -x -D "cn=directory manager" -W "uid=xxxxx,ou=xxxx,dc=xxx,dc=xx" -S

New password:

Re-enter new password:

Enter LDAP Password:

Result: Confidentiality required (13)

Additional info: Operation requires a secure connection.

Important: This command works on OpenLDAP, I've already tested! Where is the error?

Thanks in advance!

splattne
  • 28,508
  • 20
  • 98
  • 148
  • 2
    The message "Additional info: Operation requires a secure connection." is quite obvious, isn't it? – joschi Jun 21 '10 at 09:14
  • is not obvious! I did not put special restrictions when I configured the server ... Nor should I be forced to change passwords with a "secure connection" ... Indeed this problem "secure connection" with openldap does not exist .. otherwise, you think, because there is the "-x"?? –  Jun 21 '10 at 11:48
  • @Emanuele - Changing passwords over an insecure connection is a really bad idea, so having it as a default requirement simply makes sense. Forget about what you can or can't do with a different product, as it's completely irrelevant. – John Gardeniers Jun 22 '10 at 23:07

2 Answers2

2

Read the documentation on the product. It appears that by default is does require security. That is a difference between 389 and OpenLDAP. If they were supposed to be exactly the same, then no one would have bothered forking 389 off into a different project, right?

Edit -

Despite your protestation below, "Read the documentation" is a great answer, and it's clear that you didn't. The end of this page explicitly tells you that you must use TLS with ldappasswd

This operation supports Start TLS encryption (-ZZ[Z]), and you must use a secure connection for the password change operation.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • 389DS didn't originate from OpenLDAP, its the result of Red Hat buying and open sourcing Netscape DS. – Ryan Bair Jun 22 '10 at 20:49
  • 2
    Reading further, you're correct. Because the OP was asking why 389 didn't work exactly the same as OpenLDAP, I wrongly assumed that the former was derived from the latter. Since they're not related, it only makes my point stronger : don't assume they operate the same. – mfinni Jun 22 '10 at 20:59
0

ldappasswd cannot be used with non-ssl connections. Do you have your fedora-ds configured with SSL, If not use below link to configure your fedora-ds on ssl

http://lists.fedoraproject.org/pipermail/389-users/2012-March/014200.html

After configuring fedora-ds on ssl, use below for start_tls

ldappasswd -x -ZZ

or below to start ssl

ldappasswd -h ldaps://server.exmaple.com

atvt
  • 454
  • 4
  • 11