---
title: ldappasswordmodify
description: ldappasswordmodify — perform LDAP password modifications
component: pingds
version: 8.1
page_id: pingds:tools-reference:ldappasswordmodify
canonical_url: https://docs.pingidentity.com/pingds/8.1/tools-reference/ldappasswordmodify.html
section_ids:
  synopsis: Synopsis
  ldappasswordmodify-description: Description
  ldappasswordmodify-options: Options
  exit_codes: Exit codes
  files: Files
---

# ldappasswordmodify

`ldappasswordmodify` — perform LDAP password modifications

## Synopsis

`ldappasswordmodify {options}`

## Description

This utility can be used to perform LDAP password modify operations in the Directory Server.

## Options

The `ldappasswordmodify` command takes the following options:

Command options:

* `-a | --authzId {authzID}`

  Authorization ID for the user entry whose password should be changed. The authorization ID is a string having either the prefix "dn:" followed by the user's distinguished name, or the prefix "u:" followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples include "dn:uid=bjensen,ou=People,dc=example,dc=com", and, if we assume that "bjensen" is mapped to Barbara Jensen's entry, "u:bjensen".

* `-c | --currentPassword[:env|:file] {currentPassword}`

  Current password for the target user.

* `-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}`

  Use a request control with the provided information. For some *controloid* values, you can replace object identifiers with user-friendly strings. The values are not case-sensitive:

  * `Assertion` , `LdapAssertion`

    Assertion Request Control, Object Identifier: 1.3.6.1.1.12

  * `AccountUsable` , `AccountUsability`

    Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

  * `AuthzId` , `AuthorizationIdentity`

    Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

  * `Csn` , `ChangeSequenceNumber`

    Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9 This is an internal DS server control.

  * `EffectiveRights` , `GetEffectiveRights`

    Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

  * `ManageDsaIt`

    Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

  * `Noop` , `No-Op`

    No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

  * `PwdPolicy` , `PasswordPolicy`

    Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

  * `PasswordQualityAdvice`

    Password Quality Advice Request Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.5

  * `PermissiveModify`

    Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

  * `PSearch` , `PersistentSearch`

    Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

  * `PostRead`

    Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

  * `PreRead`

    Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

  * `ProxiedAuthV1`

    Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

  * `ProxiedAuth` , `ProxiedAuthV2`

    Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

  * `RealAttrsOnly` , `RealAttributesOnly`

    Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

  * `RelaxRules`

    Relax Rules Request Control, Object Identifier: 1.3.6.1.4.1.4203.666.5.12

  * `TreeDelete` , `SubTreeDelete`

    Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

  * `Sort` , `ServerSideSort`

    Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

  * `PagedResults` , `SimplePagedResults`

    Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

  * `SubEntries`

    Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

  * `TxnId` , `TransactionId`

    Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1 This is an internal ForgeRock control.

  * `VirtualAttrsOnly` , `VirtualAttributesOnly`

    Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

  * `Vlv` , `VirtualListView`

    Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

* `-n | --newPassword[:env|:file] {newPassword}`

  New password to provide for the target user.

* `-Y | --proxyAs {authzID}`

  Use the proxied authorization control with the given authorization ID.

LDAP connection options:

* `--connectTimeout {timeout}`

  Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out. Default: 30000

* `-D | --bindDn {bindDN}`

  DN to use to bind to the server. Default:

* `-E | --reportAuthzId`

  Use the authorization identity control. Default: false

* `-h | --hostname {host}`

  Fully-qualified server host name or IP address. Default: localhost.localdomain

* `--keyStorePath {keyStorePath}`

  The keystore containing the certificate which should be used for SSL client authentication.

* `--keyStoreProviderArg {argument}`

  Configuration argument for the key store provider.

* `--keyStoreProviderClass {class}`

  Full class name of the key store provider.

* `--keyStoreProviderName {name}`

  Name of the key store provider.

* `--keyStoreType {keyStoreType}`

  The type of the keystore (e.g. \[JKS|JCEKS|PKCS12|PKCS11|\<other>]).

* `-N | --certNickname {nickname}`

  Nickname of the certificate that should be sent to the server for SSL client authentication.

* `-o | --saslOption {name=value}`

  SASL bind options.

* `-p | --port {port}`

  Directory server port number.

* `-q | --useStartTls`

  Use StartTLS to secure communication with the server. Default: false

* `-T | --trustStorePassword[:env|:file] {trustStorePassword}`

  Truststore password which will be used as the cleartext configuration value.

* `--trustStorePath {trustStorePath}`

  Use this truststore for validating server certificate.

* `--trustStoreProviderArg {argument}`

  Configuration argument for the trust store provider.

* `--trustStoreProviderClass {class}`

  Full class name of the trust store provider.

* `--trustStoreProviderName {name}`

  Name of the trust store provider.

* `--trustStoreType {trustStoreType}`

  The type of the truststore (e.g. \[JKS|JCEKS|JVM|PKCS12|\<other>]).

* `--usePasswordPolicyControl`

  Use the password policy request control. Default: false

* `-w | --bindPassword[:env|:file] {bindPassword}`

  Password to use to bind to the server. Omit this option while providing the bind DN to ensure that the command prompts for the password, rather than entering the password as a command argument.

* `-W | --keyStorePassword[:env|:file] {keyStorePassword}`

  Keystore password which will be used as the cleartext configuration value.

* `-X | --trustAll`

  Trust all server SSL certificates. Default: false

* `-Z | --useSsl`

  Use SSL for secure communication with the server. Default: false

Utility input/output options:

* `--no-prompt`

  Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail. Default: false

* `--noPropertiesFile`

  No properties file will be used to get default command line argument values. Default: false

* `--propertiesFilePath {propertiesFilePath}`

  Path to the file containing default property values used for command line arguments.

* `-v | --verbose`

  Use verbose mode. Default: false

General options:

* `-V | --version`

  Display Directory Server version information. Default: false

* `-H | --help`

  Display this usage information. Default: false

## Exit codes

* 0

  The command completed successfully.

* ldap-error

  An LDAP error occurred while processing the operation. LDAP result codes are described in [RFC 4511](https://www.rfc-editor.org/rfc/rfc4511.html#appendix-A) . Also see the additional information for details.

* 89

  An error occurred while parsing the command-line arguments.

## Files

You can use `~/.opendj/tools.properties` to set the defaults for bind DN, host name, and port number as in the following example:

```
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
```