Users unable to login – Openldap

Q. All the LDAP users unable to login and getting access denied error. How to fix without losing any of user information?

First check whether the user’s password expired or locked


1. This command retrieve user password status related ppolicy. The password expired/locked will be notified.

#ldapwhoami -xW -D uid=emp1,ou=people,dc=sunt,dc=com -v -e ppolicy

Note: You need to enter user emp1 credentials.

2. Use this simple script to find all the user password age. Replace the ROOTDN and ROOTPW with appropriate values.

#ROOTDN=”Your rootdn value”
#ROOTPW=”Your rootdn password”
for i in `ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL  '(&(userpassword=*)(pwdchangedtime=*))' dn|awk '{print $2}'`
 USERID=`echo $i|awk -F, '($1~uid){print $1}'|awk -F= '{print $2}'`
 PWCGE=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i -LLL  pwdchangedtime|grep -i  ^pwdchangedtime|awk '{print $2}'|sed 's/Z//'`
 EXDTE=`echo $PWCGE |cut -c 1-8`
 EXTME=`echo $PWCGE |cut -c 9- |sed 's/.\{2\}/&:/g' |cut -c -8`
 EXSEC=`date -d "$EXDTE $EXTME" +%s`
 CDSEC=`date -u +%s`
 DIFF=`expr \( $CDSEC / 86400 \) - \( $EXSEC / 86400 \)`
echo “$USERID password age is $DIFF”

Does the users password has expired? If yes, now LDAP admin have to reset password for each user. It is not so easy task. Wouldn’t be great if there is any simple solution?


Yeah, using LDAP query and modify command reset all user password to the same existing one.

#ROOTDN=”Your rootdn value”
#ROOTPW=”Your rootdn password”
#ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL  '(&(userpassword=*)(pwdchangedtime=*))' userpassword | \
sed '/^userPassword:/ i\replace: userpassword'|ldapmodify -xw $ROOTPW -D $ROOTDN

This command set the last password changed time to current time. It will never change the password.


Now all users password is active. But prior it was in expiry state. So the account might get locked. It must be unlocked.

Use this command to get list of locked accounts from LDAP.

# ldapsearch -xw $ROOTPW -D $ROOTDN –b dc=sunt,dc=com -LLL  '(&(userpassword=*)(pwdAccountLockedTime=*))' pwdaccountlockedtime

The below command unlock all the users account password immediately.

#ldapsearch -xw $ROOTPW -D $ROOTDN  -b dc=sunt,dc=com -LLL  '(&(userpassword=*)(pwdAccountLockedTime=*))' dn | \
sed '/^dn:/ a\delete: pwdAccountLockedTime' |ldapmodify -xw $ROOTPW -D $ROOTDN

Now the users will be able login with their current password.

Did this post helped you? If you have any comments/suggestion, write here.