<para>A more flexible (and probably more secure) approach can be

  <para>A more flexible (and probably more secure) approach can be

	used by writing a custom program, or even a web interface.  The

	used by writing a custom program, or even a web interface.

	following is part of a <application>Ruby</application> library

	The following is modeled on a <application>Python</application>

	that can change LDAP passwords.  It sees use both on the command

	library that can change LDAP passwords.  It sees use both

	line, and on the web.</para>

	on the command line, and on the web.</para>

      <example id="chpw-ruby">

      <example id="chpw-python">

	<title>Ruby script for changing passwords</title>

	<title>Python script for changing passwords</title>

	<programlisting><![CDATA[require 'ldap'

	<programlisting><![CDATA[import ldap # python-ldap

require 'base64'

import os, sys

require 'digest'

from getpass import getpass

require 'password' # ruby-password

uri = "ldap://ldap1.dimins.com"

ldap_server = "ldap.example.org"

searchbase = "ou=people,dc=dimins,dc=com"

luser = "uid=#{ENV['USER']},ou=people,dc=example,dc=org"

filter = "(&(objectClass=posixAccount)(uid=%s))"

# get the new password, check it, and create a salted hash from it

# get the username; if none is given, use the current user

def get_password

user = os.environ['USER']

  pwd1 = Password.get("New Password: ")

if len(sys.argv) > 1:

  pwd2 = Password.get("Retype New Password: ")

    user = sys.argv[1]

  raise if pwd1 != pwd2

ldapobj = ldap.initialize(uri)

  pwd1.check # check password strength

ldapobj.start_tls_s() # this is pretty important

  salt = rand.to_s.gsub(/0\./, '')

# Get the users DN, and then bind as that.

  pass = pwd1.to_s

# The way to do this is first bind anonymously (if you don't allow anon

  hash = "{SSHA}"+Base64.encode64(Digest::SHA1.digest("#{pass}#{salt}")+salt).chomp!

# binds, there's probably some standard account you use for this.

  return hash

ldapobj.simple_bind_s()

end

# Search for a user with the uid we gave.  We search everything under

oldp = Password.get("Old Password: ")

# the "base" we configure above (as there may be other users with the same

newp = get_password

# UID elsewhere in the tree; we don't want to return those.

result = ldapobj.search_s(searchbase, ldap.SCOPE_SUBTREE, filter%user)

# We'll just replace it.  That we can bind proves that we either know

# the old password or are an admin.

if len(result) > 1:

    # This is kind of suspicious; we only want one user.

replace = LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE | LDAP::LDAP_MOD_BVALUES,

    print "I found several users that match that user id."

                        "userPassword",

    print "Talk to your sysadmin."

                        [newp])

    sys.exit(1)

conn = LDAP::SSLConn.new(ldap_server, 389, true)

# The results are an array of (dn, attrlist) tuples.

conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)

dn = result[0][0]

conn.bind(luser, oldp)

conn.modify(luser, [replace])]]></programlisting>

# Now we get the user's old password, and bind to the server with it

# and his DN.  If it succeeds, he (and we) have the proper credentials to

# change his password.

passwd = getpass("current password: ")

try:

    ldapobj.simple_bind_s(dn, passwd)

except ldap.INVALID_CREDENTIALS:

    print "Bad password."

    sys.exit(1)

# Get and confirm new password.

npass1 = 'a'

npass2 = 'b'

while npass1 != npass2:

    npass1 = getpass("new password: ")

    npass2 = getpass("new password (again): ")

# This is the key.  This uses the LDAP Password Modify Extended Operation.

# It is important to use this when you can, although not all libraries

# (e.g. ruby-ldap) support it.  See rfc3062.

ldapobj.passwd_s(dn, passwd, npass1)

# And we're done.

ldapobj.unbind()]]></programlisting>