The password extop plugin requires that the entry have kerberos credentials (and/or objectclass I suppose) in order to reset a password using ldappasswd. If you have an entry like this: dn: uid=passsync,cn=sysaccounts,cn=etc,dc=greyoak,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: passsync userPassword::XXXXXX... If fails if you do: %ldappasswd -v -Y GSSAPI -S uid=passsync,cn=sysaccounts,cn=etc,dc=greyoak,dc=com New password: Re-enter new password: ldap_initialize( <DEFAULT> ) SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. Result: Operations error (1) Additional info: Failed to update password DS logs: [12/Nov/2008:15:34:36 -0500] ipa_pwd_extop - no krbPrincipalName present in this entry [12/Nov/2008:15:34:36 -0500] ipa_pwd_extop - key encryption/encoding failed
Temporary workaround is to use ldapmodify and change the userPassword attribute.
Created attachment 408651 [details] Don't require kerberos attrs on all password changes
master: ba85312bf1304d20f4199038bcf4a3f900dad7cf