Bug 5611 - Feature request: Implement EXOP LDAP password updating/changing
Summary: Feature request: Implement EXOP LDAP password updating/changing
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2008-07-14 10:36 UTC by David Markey
Modified: 2014-10-14 14:11 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2008-07-14 10:36:17 UTC
Implement Exop LDAP password updating, used by clients such as ldappasswd and samba.

Test Plan,

Add a user to the directory and use ldappasswd to update the password, Also administrators should be able to update normal users passwords(in the event that passwords need to be reset).
Comment 1 Matthias Dieter Wallnöfer 2008-09-12 04:53:29 UTC
Marking as "Feature request"
Comment 2 Matthias Dieter Wallnöfer 2009-06-27 09:23:11 UTC
We need to support "Extended operation:"
Comment 3 Matthias Dieter Wallnöfer 2009-10-01 05:05:11 UTC
This feature doesn't seem to be present in real AD. So it's really just an enhancement.
Comment 4 Matthias Dieter Wallnöfer 2010-05-24 04:59:48 UTC
Would you still like to have this feature? We are implementing at the moment the user password change mechanism syntax available in the real AD. You might want to look at this one.
Comment 5 Andrew Bartlett 2010-05-24 05:30:48 UTC
Yes, we still want this additional feature.  It's a useful, industry standard exop that won't conflict with AD behaviours. 
Comment 6 Björn Jacke 2014-10-13 13:01:39 UTC
anyone working on this or planing to work on this?

Especially in mixed envoronments with non-AD LDAP clients like plain LDAP Unix workstations this is a must-have. Sounds funny that Samba 4 does not allow *Unix* LDAP clients to change their passwords. (Kind of) funny though ...
Comment 7 Stefan Metzmacher 2014-10-13 13:14:58 UTC
(In reply to Björn Jacke from comment #6)

I'd prefer to fix the clients to work against any AD DC
instead of only working against a Samba DC.
Comment 8 Björn Jacke 2014-10-13 13:49:21 UTC
okay, for clarification: Windows AD controllers also don't support RFC 3062 password modify extended operation. nss_ldap/sssd man change passwords with using the AD method. So offering more features than native AD controllers seems not feasible.

For people who need password modify extended operation this could be made an optional feature, which is being turned off by default thought, to be feature compatible with native AD DCs. Resolving this bug as LATER for now as this is not really needed or wanted currently.
Comment 9 Matthias Dieter Wallnöfer 2014-10-14 14:11:16 UTC
I remember that I have started implementing it long time ago: https://git.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/exop

Then I stopped to continue since the big issue was that pyldb does not permit to execute these extended operations. And also the implementation of them would have been very challenging. Jelmer, am I correct?