The ldappasswordmodify Command-Line Tool

Update the password for a user in an LDAP directory server using the password modify extended operation (as defined in RFC 3062), a standard LDAP modify operation, or an Active Directory-specific modification.

Unless the password change method is explicitly specified (using the --passwordChangeMethod argument), this tool will attempt to automatically determine which method is the most appropriate for the target server using information provided in the server's root DSE. If the server advertises support for the password modify extended operation, then that method will be used. If it appears to be an Active Directory server, then an Active Directory-specific password change method will be selected, using a regular LDAP modify to update the unicodePwd attribute with a specially encoded value. Otherwise, a regular LDAP modify operation will be used to update the value of a specified password attribute.

The new password to set for the user may be specified in one of several ways. It may be directly provided on the command line, read from a specified file, interactively prompted from the user, or automatically generated by this tool. If the new password is not specified using any of those methods, and if the password is to be updated using the password modify extended operation, then the new password field of the request will be left blank to indicate that the server should generate a new password for the user and include it in the response to the client. If no new password is specified and some other password change method is selected, then the tool will exit with an error.

The current password for the user may also be specified. This is optional, although some servers may require a user to provide their current password when setting a new one. If a current password is provided (whether given as a command-line argument, read from a specified file, or interactively requested from the user), and if a regular LDAP modify operation is used to change the password, then the resulting modify request will include a delete of the current value and an add of the new value. If no current password is provided, then the modify request will replace any existing password(s) with the new value.

Usage

ldappasswordmodify {arguments}

LDAP Connection and Authentication Arguments

• -h {host} / --hostname {host} — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
  
  
• -p {port} / --port {port} — The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
  The specified value must not be less than 1 or greater than 65,535.
  
  
• -D {dn} / --bindDN {dn} — The DN to use to bind to the directory server when performing simple authentication.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -w {password} / --bindPassword {password} — The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  
  
• -j {path} / --bindPasswordFile {path} — The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  The specified path must refer to a file that exists.
  
  
• --promptForBindPassword — Indicates that the tool should interactively prompt the user for the bind password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -Z / --useSSL — Use SSL when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -q / --useStartTLS — Use StartTLS when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --defaultTrust — Use the JVM's default trust store, and optionally an additional trust store specified using the --trustStorePath argument, to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -X / --trustAll — Trust any certificate presented by the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -K {path} / --keyStorePath {path} — The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
  
  
• -W {password} / --keyStorePassword {password} — The password to use to access the key store contents.
  
  
• -u {path} / --keyStorePasswordFile {path} — The path to the file containing the password to use to access the key store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForKeyStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --keyStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
  
  
• -P {path} / --trustStorePath {path} — The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
  
  
• -T {password} / --trustStorePassword {password} — The password to use to access the trust store contents.
  
  
• -U {path} / --trustStorePasswordFile {path} — The path to the file containing the password to use to access the trust store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForTrustStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --trustStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
  
  
• --verifyCertificateHostnames — Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --certNickname {nickname} — The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
  
  
• --enableSSLDebugging — Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -o {name=value} / --saslOption {name=value} — A name-value pair providing information to use when performing SASL authentication.
  
  
• --useSASLExternal — Use the SASL EXTERNAL mechanism to authenticate.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --helpSASL — Provide information about the supported SASL mechanisms, including the properties available for use with each.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

User Identity Arguments

• -a {dnOrAuthzID} / --userIdentity {dnOrAuthzID} — The identity for the user whose password should be changed. This may be a DN, or it may be an authorization identity in either the form 'dn:' followed by a user DN or 'u:' followed by a username. If neither this argument nor the --provideBindDNAsUserIdentity argument is provided, then the current authorization identity for the underlying connection will be assumed.
  
  
• -A / --provideBindDNAsUserIdentity — Explicitly provide the bind DN as the value of the user identity field in the password modify extended request, rather than omitting that field. This argument only applies when changing passwords using the password modify extended operation, although the bind DN may be used as the target entry DN for modify requests if no alternate user identity is specified.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --usernameAttribute {attributeName} — The name of the attribute that will be used to search for the user to update if the user identity is provided as a username rather than a DN, and if the password is to be updated with an LDAP modify operation rather than the password modify extended operation. This argument will be ignored if the authorization identity is provided as a DN or if password will be changed using the password modify extended operation. If this is not provided, then a default value of 'uid' will be used for non-Active Directory servers, and default values of 'samAccountName' and 'userPrincipalName' will be used for Active Directory. This argument may be provided multiple times to specify multiple user ID attributes, in which case the search will construct an OR filter to search across each of those attributes. The resulting search must match exactly one entry for the password change attempt to proceed.
  
  
• -b {dn} / --searchBaseDN {dn} — The base DN to use when searching for the user to update. This will be ignored if the user identity is provided as a DN or if the password will be changed using the password modify extended operation. If this is not provided, the null DN will be used as the default search base DN.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  

New Password Arguments

• -n {password} / --newPassword {password} — The new password to set for the target user.
  
  
• -N {path} / --newPasswordFile {path} — The path to a file containing the new password to set for the target user. If this argument is provided, then the file must exist, and it must contain exactly one line with only the desired new password.
  The specified path must refer to a file that exists.
  
  
• --promptForNewPassword — Interactively prompt for the new password to set for the target user.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --generateClientSideNewPassword — Have this tool generate the new password for the target user. If this argument is provided, then the new password will be displayed before sending the request to the server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --generatedPasswordLength {length} — The number of characters to include in the generated client-side password. If this is not provided, then a default length of twelve characters will be used.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• --generatedPasswordCharacterSet {chars} — A set of characters that may be included in the generated client-side password. This may be provided multiple times to specify multiple character sets, in which case the generated password will include at least one character from each of the sets. If this is not provided, then the generated password will be a mix of lowercase ASCII letters, uppercase ASCII letters, ASCII digits, and a selected set of ASCII symbols.
  
  

Current Password Arguments

• -c {password} / --currentPassword {password} — The current password to provide when setting the new password.
  
  
• -C {path} / --currentPasswordFile {path} — The path to a file containing the current password to provide when setting the new password. If this is provided, then the file must exist and it must contain exactly one line with only the user's current password.
  The specified path must refer to a file that exists.
  
  
• --promptForCurrentPassword — Interactively prompt for the user's current password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Bind Control Arguments

• --bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]] — Include the specified control in the bind request used to authenticate to the server. This may be provided multiple times to specify multiple bind request controls.
  A provided value must be a string representation of a valid LDAP control in the form {oid}[:{criticality}[:{stringValue}|::{base64Value}]].
  
  
• --useAuthorizationIdentityControl — Include the authorization identity request control in the bind request to indicate that the server should return the authorization identity that resulted from the bind.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --usePasswordPolicyControlOnBind — Include the password policy request control (as described in draft-behera-ldap-password-policy) in the bind request used to authenticate to the server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --getAuthorizationEntryAttribute {attributeName} — Include the UnboundID-proprietary get authorization entry request control in the bind request to indicate that the bind response should include the entry for the authenticated user with the specified attribute. This argument may be provided multiple times to specify that multiple attributes from the user entry should be included.
  
  
• --getUserResourceLimits — Include the UnboundID-proprietary get user resource limits request control in the bind request to indicate that the server should return information about resource limits (e.g., size limit, time limit, idle time limit, etc.) imposed for the user.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Update Control Arguments

• -J {oid}[:{criticality}[:{stringValue}|::{base64Value}]] / --updateControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]] — Include the specified control in the request used to update the user's password. This may be provided multiple times to specify multiple update controls.
  A provided value must be a string representation of a valid LDAP control in the form {oid}[:{criticality}[:{stringValue}|::{base64Value}]].
  
  
• --usePasswordPolicyControlOnUpdate — Include the password policy request control (as described in draft-behera-ldap-password-policy) in the request used to update the user's password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --noOperation — Include the LDAP no-operation request control (as described in draft-zeilenga-ldap-noop) to indicate that the server should validate that the password change would likely succeed, but that the user's password should not actually be changed.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --getPasswordValidationDetails — Include the UnboundID-proprietary get password validation details request control in the request used to update the password. The corresponding response control will include information about the requirements that the server will impose for the target user and whether the provided new password satisfies each of those constraints.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --retireCurrentPassword — Include the UnboundID-proprietary retire password request control in the request used to update the password. This will indicate that the server should continue to allow the user to authenticate with their former password (in addition to the new password) for a brief period of time.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --purgeCurrentPassword — Indicate the UnboundID-proprietary purge password request control in the request used to update the password. This will indicate that the server should completely remove the former password from the user's entry, even if the server would have otherwise retired the former password for a brief period of time.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --passwordUpdateBehavior {name=value} — Include the UnboundID-proprietary password update behavior request control in the request used to update the password to specify settings that the server should use when updating the password. Values of this argument must be in the form 'name=value', where the property name can be any one of the following: is-self-change, allow-pre-encoded-password, skip-password-validation, ignore-password-history, ignore-minimum-password-age, password-storage-scheme, and must-change-password. The value for each property should be either 'true' or 'false', with the exception of the storage-scheme property, whose value should be the name of the desired password storage scheme to use to encode the new password. This argument can be provided multiple times to specify multiple password update behaviors.
  
  
• --useAssuredReplication — Include the UnboundID-proprietary assured replication request control to indicate that the update response should be delayed until the change has been sufficiently replicated to other servers.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --assuredReplicationLocalLevel {level} — The local assurance level to use in the assured replication request control. If provided, the value should be one of 'none' (to indicate that the update response should not be delayed for replication to local servers), 'received-any-server' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one other local server), or 'processed-all-servers' (to indicate that the update response should be delayed until the change has been applied in all available local servers). If this is not specified, then the server will select an appropriate local assurance level.
  A provided value should be one of the following: 'received-any-server', 'processed-all-servers', 'none'.
  
  
• --assuredReplicationRemoteLevel {level} — The remote assurance level to use in the assured replication request control. The value should be one of 'none' (to indicate that the update response should not be delayed for replication to remote servers), 'received-any-remote-location' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one server in at least one remote location), 'received-all-remote-locations' (to indicate that the update response should be delayed until the change has been received by, but not necessarily applied on, at least one server in every remote location ), or 'processed-all-remote-servers' (to indicate that the update response should be delayed until the change has been applied by all available remote servers in all locations). If this is not specified, then the server will select an appropriate remote assurance level.
  A provided value should be one of the following: 'processed-all-remote-servers', 'none', 'received-any-remote-location', 'received-all-remote-locations'.
  
  
• --assuredReplicationTimeout {timeout} — The timeout to use for assured replication processing. If provided, the value should be in the form of an integer followed by a time unit that is one of 'nanosecond', 'microsecond', 'millisecond', 'second', 'minute', 'hour', 'day', or 'week' (or one of their plurals or abbreviations). For example, values of '500 milliseconds', '500 ms', and '500ms' all specify a timeout of 500 milliseconds. If this is not specified, then the server will select an appropriate timeout.
  The provided value must contain an integer followed by a unit of 'ns' (for nanoseconds), 'us' (for microseconds), 'ms' (for milliseconds), 's' (for seconds), 'm' (for minutes), 'h' (for hours), 'd' (for days), or 'w' (for weeks). The specified duration must not be less than 0ns or greater than 9223372036854775807ns.
  
  
• --operationPurpose {purpose} — Include the UnboundID-proprietary operation purpose request control in the request sent to update the target user's password to provide additional information about the purpose for the request.
  
  

Other Arguments

• --passwordChangeMethod {password-modify-extended-operation|ldap-modify|active-directory} — The method to use to set the password. Allowed values are 'password-modify-extended-operation' (for the password modify extended operation as described in RFC 3062), 'ldap-modify' (for a regular LDAP modify operation targeting the specified password attribute), or 'active-directory' (for an Active Directory-specific password change mechanism). If this is not specified, then the tool will attempt to automatically determine the appropriate method.
  A provided value should be one of the following: 'ldap-modify', 'password-modify-extended-operation', 'active-directory'.
  
  
• --followReferrals — Automatically attempt to follow any referrals received when processing requests.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --useAdministrativeSession — Use an administrative session to process the bind and update operations using a dedicated pool of worker threads. This may be useful when trying to update the server when all normal worker threads are busy processing other requests.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -v / --verbose — Provide verbose output about the processing that the tool performs.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --script-friendly — Generate output in a script-friendly format.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Additional Arguments

• --interactive — Launch the tool in interactive mode.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --outputFile {path} — Write all standard output and standard error messages to the specified file instead of to the console.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --appendToOutputFile — Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --teeOutput — Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -H / --help — Display usage information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --help-debug — Display usage information for debug logging.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --enable-debug-logging — Enables debug logging for the tool.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-level {level} — The debug log level to use for the tool. Allowed values include 'off', 'severe', 'warning', 'info', 'fine', 'finer', and 'finest'. If this is not specified, a default level of 'severe' will be used.
  
  
• --debug-log-category {category} — The message categories to include in the debug log output. Allowed values include 'asn1', 'connect', 'exception', 'ldap', 'connectionpool', 'ldif', 'monitor', 'codingerror', and 'other'. This argument may be provided multiple times to indicate that multiple categories should be included. If this is not specified, then all categories will be included.
  
  
• --include-debug-stack-traces — Indicates that debug log messages should include a stack trace with the code location from which each debug message originated.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --use-multi-line-debug-messages — Indicates that debug log messages (which will be JSON objects) should be written as multi-line strings rather than single-line strings.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-file {path} — The path to the debug log file to be written. If this is not specified, a default path of 'ldappasswordmodify.debug' will be used.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• -V / --version — Display version information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --propertiesFilePath {path} — The path to a properties file used to specify default values for arguments not supplied on the command line.
  The specified path must refer to a file that exists.
  
  
• --generatePropertiesFile {path} — Write an empty properties file that may be used to specify default values for arguments.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --noPropertiesFile — Do not obtain any argument values from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressPropertiesFileComment — Suppress output listing the arguments obtained from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Dependent Argument Sets

• If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
• If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
• If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --bindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --bindPasswordFile argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --promptForBindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --provideBindDNAsUserIdentity argument is provided, then the --bindDN argument must also be provided.
• If the --generatedPasswordLength argument is provided, then the --generateClientSideNewPassword argument must also be provided.
• If the --generatedPasswordCharacterSet argument is provided, then the --generateClientSideNewPassword argument must also be provided.
• If the --assuredReplicationLocalLevel argument is provided, then the --useAssuredReplication argument must also be provided.
• If the --assuredReplicationRemoteLevel argument is provided, then the --useAssuredReplication argument must also be provided.
• If the --assuredReplicationTimeout argument is provided, then the --useAssuredReplication argument must also be provided.
• If the --appendToOutputFile argument is provided, then the --outputFile argument must also be provided.
• If the --teeOutput argument is provided, then the --outputFile argument must also be provided.

Exclusive Argument Sets

• The following arguments cannot be used together: --useSSL, --useStartTLS
• The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
• The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
• The following arguments cannot be used together: --defaultTrust, --trustAll
• The following arguments cannot be used together: --trustAll, --trustStorePath
• The following arguments cannot be used together: --bindDN, --saslOption, --useSASLExternal
• The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
• The following arguments cannot be used together: --userIdentity, --provideBindDNAsUserIdentity
• The following arguments cannot be used together: --newPassword, --newPasswordFile, --promptForNewPassword, --generateClientSideNewPassword
• The following arguments cannot be used together: --currentPassword, --currentPasswordFile, --promptForCurrentPassword
• The following arguments cannot be used together: --retireCurrentPassword, --purgeCurrentPassword
• The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

• Perform a self password change as the user with a username of 'jdoe', with both the current and new passwords obtained from interactive prompting. The tool will automatically determine the best method to use to change the password.

    ldappasswordmodify --hostname ds.example.com --port 636 --useSSL \
         --userIdentity u:jdoe --promptForCurrentPassword \
         --promptForNewPassword

• Use a regular LDAP modify operation to perform an administrative reset of the password for user 'uid=jdoe,ou=People,dc=example,dc=com'. The tool will generate a new password for the user.

    ldappasswordmodify --hostname ds.example.com --port 636 --useSSL \
         --bindDN uid=admin,dc=example,dc=com \
         --bindPasswordFile admin-password.txt \
         --userIdentity uid=jdoe,ou=People,dc=example,dc=com \
         --generateClientSideNewPassword --passwordChangeMethod ldap-modify