0

I am currently trying to change a password of an ldap account with ruby. As I used OpenDJ and Java before, it was possible to trigger a password change request which only got the new password as plain text but at the end it was set as crypted password using the function which was set in OpenLDAP options.

But with ruby, I only figured out how to change the password attribute directly.

Can I do the same with ruby what I do in java with OpenDJ?

2 Answers2

0

The operation to change a password in OpenDJ is an LDAP operation, and independent of the language you are using on the client side. So yes, you should be able to do the same with Ruby and Java. How to do it in Ruby depends on the LDAP support and library provided in Ruby, and I'm sorry I have no experience with that.

Ludovic Poitou
  • 4,788
  • 2
  • 21
  • 30
  • Thank you, can you point out which "independent operation" is used by OpenDJ? –  Mar 24 '16 at 10:32
  • You can change a Password using the LDAP modify operation (doing a replace of the userPassword attribute) or using the LDAP Password Modify Extended operation. – Ludovic Poitou Mar 29 '16 at 08:11
  • Yes, thank you! I was looking for the extended operation. Some libraries uses it automatically if you try to change userPassword, but net-ldap does not. But now it works! –  Mar 29 '16 at 11:06
0

If you use the ruby-ldap gem the following code should work:

modifications = [
  LDAP.mod(LDAP::LDAP_MOD_REPLACE, 'userPassword', ['cleartextpassword']),
]

begin
  conn.modify("uid=jdoe, dc=example, dc=com", modifications)
rescue LDAP::ResultError
  exit
end
Guillermo R
  • 623
  • 4
  • 8
  • I will test it today. Can I do the same with "net/ldap", I mean if it is a LDAP specific operation it should be possible, shouldn't it? –  Mar 24 '16 at 11:01
  • Yes, it is a standard LDAP modify operation so the same approach should work no matter which client library you use. – Guillermo R Mar 25 '16 at 13:36
  • I am using net/ldap and modify/replace but it always set it as plain text. `if ldap.bind operations = [[ :replace, :userPassword, [$LDAP_PASSWORD_NEW] ]] ldap.modify :dn => $LDAP_USER, :operations => operations` –  Mar 25 '16 at 19:10
  • I think password hash is not enabled in OpenLDAP by default. Try adding the following to the global section of your slapd.conf file: password-hash {SSHA} – Guillermo R Mar 25 '16 at 22:07
  • Well, olcPasswordHash is set. (using OLC) As I said, OpenDJ works. My problem with ruby-ldap is that I cannot find any good documentation and it uses native libs. :/ –  Mar 26 '16 at 10:43