On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote: > Hi Ondřej, > > changing the password with ldappasswd works as expected. I did a: > ------------- > u1-verw@ldap02:~$ ldappasswd -x -D > cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W > New password: > Re-enter new password: > Enter LDAP Password: > ------------- > When entering the "LDAP Password" I'm giving "password+token" for the > "New password" I'm only giving the new password without any token. > After changing the password I can login with the new password+token. > But with "passwd" I can't change the password if otp is used. Without > otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop. If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op? Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
