LDAP Password Modify Extended Operation in DSEE6
Here are the major configuration settings or changes will be required before all this so long expected offering can be functionally working in your DS6/DPS6 based topology:
DS6 configuration:
The first time you will try to run ldappasswd against a DS6 instance, it is possible you will hit the following error:
./ldappasswd -p 11389 -D "uid=usr1000,ou=people,dc=sumario,dc=com" -w secret
-S uid=usr1000,ou=people,dc=sumario,dc=com
New Password:
Re-enter new Password:
ldap_passwd_s: Insufficient access
And the corresponding output of the DS access log will look like:
[08/Jun/2007:11:39:57 +0200] conn=69 op=0 msgId=1 - BIND dn="uid=usr1000,ou=people,dc=sumario,dc=com" method=128 version=3
[08/Jun/2007:11:39:57 +0200] conn=-1 op=-1 msgId=-1 - SRCH base="uid=usr1000,ou=people,dc=sumario,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[08/Jun/2007:11:39:57 +0200] conn=-1 op=-1 msgId=-1 - RESULT err=0 tag=101 nentries=1 etime=0.000340
[08/Jun/2007:11:39:57 +0200] conn=69 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001320 dn="uid=usr1000,ou=people,dc=sumario,dc=com"
[08/Jun/2007:11:39:57 +0200] conn=69 op=1 msgId=2 - EXT oid="1.3.6.1.4.1.4203.1.11.1"
[08/Jun/2007:11:39:57 +0200] conn=69 op=1 msgId=2 - RESULT err=50 tag=120 nentries=0 etime=0.000400, Password change feature access denied.
[08/Jun/2007:11:39:57 +0200] conn=69 op=2 msgId=3 - UNBIND
Why is this happening? The reason and the associated solution will be simple:
Before making ldappaswd work with DS6, you will first need to enable the LDAP Modify Password extended operation in the DS side. This is explained in the DS/DPS administration guide, here is how you can easily get it working (just modify the content between <<>> to the user/population that fits your needs:
$ cat exop.ldif
dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
cn: Password Modify Extended Operation
aci: (targetattr != "aci")(version 3.0; acl "Password Modify Extended Operation"
; allow( read, search, compare, proxy ) <
$ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f exop.ldif
Enter bind password:
adding new entry oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
Once this will be done, any user being allowed by the ACI above will be able to launch ldappaswd to reset userPassword values on user entries.
DPS6 configuration:
The first time you will try to run ldappasswd against a DPS6 instance, it is possible you will hit the following error:
# /opt/SUNWdsee/dsee6/bin/ldappasswd -h sunone01 -p 389 -D "uid=x100001,ou=people,dc=sun,dc=de" -w x100001 -A -S uid=x10000
1,ou=people,dc=sun,dc=de
Old Password:
New Password:
Re-enter new Password:
ldap_passwd_s: DSA is unwilling to perform
And the DPS access log reports the following error message:
RESPONSE err=53 msg="There are no plugins defined to handle extended operation 1.3.6.1.4.1.4203.1.11.1"
Why is this happening?
By default, vanilla DPS6 will not proxy the Modify Password Extended Operation. This problem and its associated unsupported workaround exist is documented in bug #6570523, my strong advice is to contact Sun Support Services to get the official fix for this, which works nicely.
Recommended short term solution: Launch ldappaswd directly against your DS6 servers
Recommended long term solution: Upgrade your vanilla DPS6 with a more recent version which overcomes bug #6570523
