RFC 3062 (rfc3062) - Page 2 of 6


LDAP Password Modify Extended Operation



Alternative Format: Original Text Document



RFC 3062        LDAP Password Modify Extended Operation    February 2001


   The integration [RFC 2829] of application neutral SASL [RFC 2222]
   services which support simple username/password mechanisms (such as
   DIGEST-MD5) has introduced non-LDAP DN authentication identity forms
   and made storage of passwords the responsibility of the SASL service
   provider.

   LDAP update operations are designed to act upon attributes of an
   entry within the directory.  LDAP update operations cannot be used to
   modify a user's password when the user is not represented by a DN,
   does not have a entry, or when that password used by the server is
   not stored as an attribute of an entry.  An alternative mechanism is
   needed.

   This document describes an LDAP Extended Operation intended to allow
   directory clients to update user passwords.  The user may or may not
   be associated with a directory entry.  The user may or may not be
   represented as an LDAP DN.  The user's password may or may not be
   stored in the directory.

   The operation SHOULD NOT be used without adequate security protection
   as the operation affords no privacy or integrity protect itself.
   This operation SHALL NOT be used anonymously.

2.  Password Modify Request and Response

   The Password Modify operation is an LDAPv3 Extended Operation
   [RFC 2251, Section 4.12] and is identified by the OBJECT IDENTIFIER
   passwdModifyOID.  This section details the syntax of the protocol
   request and response.

   passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1

   PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL
     oldPasswd       [1]  OCTET STRING OPTIONAL
     newPasswd       [2]  OCTET STRING OPTIONAL }

   PasswdModifyResponseValue ::= SEQUENCE {
     genPasswd       [0]     OCTET STRING OPTIONAL }

2.1.  Password Modify Request

   A Password Modify request is an ExtendedRequest with the requestName
   field containing passwdModifyOID OID and optionally provides a
   requestValue field.  If the requestValue field is provided, it SHALL
   contain a PasswdModifyRequestValue with one or more fields present.





Zeilenga                    Standards Track