Changing userPassword in OpenLDAP using ldap3 library

Question

I can't seem to change a users password using the ldap3 python module against an OpenLDAP server. A similar question has been asked before but that's specific to Active Directory.

What I've tried:

from ldap3.extend.standard.modifyPassword import ModifyPassword
from ldap3.utils.hashed import hashed
password = hashed(HASHED_SALTED_SHA, password)
# or..
password = '{SASL}[email protected]'
modify = ModifyPassword(
    connection, user.entry_get_dn(), new_password=password)
resp = modify.send()
print(modify.result)
{'referrals': None, 'result': 0, 'description': 'success', 'type': 'extendedResp', 'message': '', 'responseName': None, 'new_password': None, 'dn': '', 'responseValue': None}

The description says success, but the password isn't actually changed.

I've also tried to send a modify replace message:

def modify_user_password(self, user, password):
    dn = user.entry_get_dn()
    hashed_password = hashed(HASHED_SALTED_SHA, 'MyStupidPassword')
    changes = {
        'userPassword': [(MODIFY_REPLACE, [hashed_password])]
    }
    logger.debug('dn: ' + dn)
    logger.debug('changes: ' + str(changes))
    success = self.engage_conn.modify(dn, changes=changes)
    if success:
        logger.debug('Changed password for: %s', dn)
        print(self.engage_conn.result)
    else:
        logger.warn('Unable to change password for %s', dn)
        logger.debug(str(self.engage_conn.result))
        raise ValueError('stop')

The connection is not an SSL connection. The answer to the AD question requires that the connection be over SSL. Is this also a requirement for OpenLDAP?

Edit:

After changing the dn to user.entry_get_dn() the code seemed to work about 90% of the time. After running these tests again today it appears that it now works consistently. I'm going to chalk this up to not viewing fresh data in my directory browser.

Answer 1

Changing the password seems to work as described in the docs and shown in the edit of my question above. For future reference, this code seems to work:

from ldap3 import (
    HASHED_SALTED_SHA, MODIFY_REPLACE
)
from ldap3.utils.hashed import hashed

def modify_user_password(self, user, password):
    dn = user.entry_get_dn()
    hashed_password = hashed(HASHED_SALTED_SHA, password)
    changes = {
        'userPassword': [(MODIFY_REPLACE, [hashed_password])]
    }
    success = self.connection.modify(dn, changes=changes)
    if not success:
        print('Unable to change password for %s' % dn)
        print(self.connection.result)
        raise ValueError('Unable to change password')

To clarify a few things:

1. This is connecting to an OpenLDAP server (with multiple databases)
2. There is NO SSL here. We plan on implementing SSL but this works without it.