Mass LDAP password reset

Tags:

• ldap
• hash
• password
• reset

A colleague of mine wanted to reset the passwords for 20 different users without using Directory Studio. Here are his notes in case you run into a similar situation.

1. Generate a list of user’s UIDs; one per line and save it in a file called users.list:
2. Create a file called genldif.sh and put the following code block in it:

   cat >> ldap_change_passwd_.ldif <<EOF
   dn: uid=${WHATUSER},ou=People,dc=example,dc=com
   changetype: modify
   replace: userPassword
   userPassword: {SSHA}hashed password
   EOF
   

   Note: Replace hashed password above with your real default password hash.
3. Make the file executable:

   chmod u+x genldif.sh
   

4. Run the script for each user in your list to generate the LDIF file:

   for k in $(cat users.list); do export WHATUSER=${k} ; ./genldif.sh; done
   

5. Load the LDIF file, ldap_change_passwd_.ldif into your Primary LDAP server:

   ldapmodify -x -H ldaps://<ldap server>:636 -D "cn=Directory Manager" -f ldap_change_passwd.ldif -W