RFC 3062 (rfc3062) - Page 2 of 6
LDAP Password Modify Extended Operation
Alternative Format: Original Text Document
RFC 3062 LDAP Password Modify Extended Operation February 2001
The integration [RFC 2829] of application neutral SASL [RFC 2222]
services which support simple username/password mechanisms (such as
DIGEST-MD5) has introduced non-LDAP DN authentication identity forms
and made storage of passwords the responsibility of the SASL service
provider.
LDAP update operations are designed to act upon attributes of an
entry within the directory. LDAP update operations cannot be used to
modify a user's password when the user is not represented by a DN,
does not have a entry, or when that password used by the server is
not stored as an attribute of an entry. An alternative mechanism is
needed.
This document describes an LDAP Extended Operation intended to allow
directory clients to update user passwords. The user may or may not
be associated with a directory entry. The user may or may not be
represented as an LDAP DN. The user's password may or may not be
stored in the directory.
The operation SHOULD NOT be used without adequate security protection
as the operation affords no privacy or integrity protect itself.
This operation SHALL NOT be used anonymously.
2. Password Modify Request and Response
The Password Modify operation is an LDAPv3 Extended Operation
[RFC 2251, Section 4.12] and is identified by the OBJECT IDENTIFIER
passwdModifyOID. This section details the syntax of the protocol
request and response.
passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1
PasswdModifyRequestValue ::= SEQUENCE {
userIdentity [0] OCTET STRING OPTIONAL
oldPasswd [1] OCTET STRING OPTIONAL
newPasswd [2] OCTET STRING OPTIONAL }
PasswdModifyResponseValue ::= SEQUENCE {
genPasswd [0] OCTET STRING OPTIONAL }
2.1. Password Modify Request
A Password Modify request is an ExtendedRequest with the requestName
field containing passwdModifyOID OID and optionally provides a
requestValue field. If the requestValue field is provided, it SHALL
contain a PasswdModifyRequestValue with one or more fields present.
Zeilenga Standards Track