How to let users to change OpenLDAP password themselves through Linux CLI

Environment: OpenLDAP on Linux (CentOS, Fedora, Redhat or OEL), already configured the userpassword attribute.
Objective:  to let users to change their LDAP userpassword attribute themselves.

1.  configure access control part in slapd.conf

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
        by * none

# note: above 'by self write' and 'by anonymous auth' attibutes
are very important, otherwise the users cannot change password by
access to attr=proxyAccess
        by self read
        by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
        by * none

access to *
        by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
        by users read
2.  user ldapmodify to change it.
  • Method 1:  use ldapmodify with Manager DN
ldapmodify -x -H ldap://  -D 'cn=Manager,dc=dev,dc=domain,dc=com' -W -f jephe.ldapmodify

[root@mars openldap]# more jephe.ldapmodify
dn: uid=jephe,ou=people,dc=dev,dc=domain,dc=com
replace: userpassword
userpassword: {MD5}risfylFZSeXVT7IrjtlVdQ==

You can use command 'slappasswd -h {MD5}' to generate userpassword line above
New password: testing
Re-enter new password: testing

  • Method 2 :  use ldapmodify with user own DN
ldapmodify -x -H ldap:// -D 'uid=jephe,ou=people,dc=dev,dc=domain,dc=com' -W -f jephe.ldapmodify
Enter LDAP Password:
modifying entry "uid=jephe,ou=people,dc=dev,dc=domain,dc=com"

3. use ldappasswd to change it
  • Method 3:  use ldappasswd with Manager DN
ldappasswd -x  -D cn=Manager,dc=dev,dc=domain,dc=com -w password  -s password uid=jephe,ou=People,dc=dev,dc=domain,dc=com
Result: Success (0)

  • Method 4: use ldappasswd with user own DN
ldappasswd -x  -D uid=jephe,ou=People,dc=dev,dc=domain,dc=com -w abcd1234  -s 12345 uid=jephe,ou=People,dc=dev,dc=domain,dc=com
Result: Success (0)

3. ldapmodify to modify some attributes:

ldapmodify -c -x -D "cn=admin......" -w -f filename.ldif

# more filename.ldif
dn: cn=.....
changetype: modify
replace: loginShell
loginshell: /bin/bash

4. backup and restore ldap database

slapcat -b "dc=jephe,dc=com" -l ldif_file
/usr/local/openldap/sbin/slapadd -b "dc=jephe,dc=com" -l ldif_file