We Keep Coding

No such object (32) error while trying to modify olcDatabase={2}hdb.ldif

I have installed LDAP and I am able to start it.
While I am trying to modify the olcDatabase={2}hdb.ldif file I am getting "ldap_modify: No such object (32)" error.
Steps followed to modify
1) created a db.ldif file with below contains
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changeType: modify
add: olcRootPW
olcRootPW: {SSHA}6zHtA20qkTmdLrJSfxo+VV3QLGS7m0CZ
2) ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such object (32)
I am using centos7 and LDAP version openldap-clients-2.4.44-21.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openldap-servers-sql-2.4.44-21.el7_6.x86_64
openldap-servers-2.4.44-21.el7_6.x86_64
openldap-devel-2.4.44-21.el7_6.x86_64
collectd-openldap-5.8.1-1.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
Please help me fix this!!

There are two reasons for this result.
the entry actually doesn't exist,
it exists but you don't have permission to know that.
I suggest you try to search the cn=config database to see what it actually contains:
ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
If the result is No such object (32), then gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth doesn't have access to the config database on your system.
If the search does return output, check whether the entry olcDatabase={2}hdb,cn=config is actually listed.

I had the same problem and to fix it I restarted slapd.service:
systemctl stop slapd.service
systemctl start slapd.service

Server ldap/example.com#EXAMPLE.COM not found in Kerberos database

Edit : Issue finally solved. The detail can be found in the troubleshooting part at the end of this message.
I leave the detailed steps here in case it could help somebody.
Setup OpenLDAP
I - Create the server
The documentation are often outdated and you will find multiple ways to achieve the same.
According to what I've read, the modern way to create a server is to use /etc/openldap/slapd.ldif instead of /etc/openldap/slapd.conf. Below is a sample configuration using letsencrypt certificates.
You can often convert a slapd.conf directive in slapd.ldif by prepending it with olc. Just make sure this is in the right dn block.
Make sure you create a directory /etc/openldap/slapd.d readable and writable by ldap user, and that slapd is stopped. Insert you're slapd.ldif into slapd.d with slapadd command. I run it using sudo -u ldap in order for slapadd to create files owned by ldap users. You can also run slapadd without sudo and then chown -R ldap:ldap /etc/openldap/slapd.d. What is important here is that all of you're /etc/openldap directory is readable / writable by user slapd run with.
$ sudo -u ldap slapadd -d -1 \
-F /etc/openldap/slapd.d \
-n 0 \
-f /etc/openldap/slapd.ldif
OpenLDAP configuration:
# /etc/openldap/slapd.ldif
------------------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
olcTLSCipherSuite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
olcTLSCACertificateFile: /etc/letsencrypt/live/example/chain.pem
olcTLSCertificateFile: /etc/letsencrypt/live/example/cert.pem
olcTLSCertificateKeyFile: /etc/letsencrypt/live/example/privkey.pem
olcTLSVerifyClient: never
#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleload: back_mdb.so
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/kerberos.ldif
include: file:///etc/openldap/schema/openssh-lpk.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to *
by self write
by users read
by anonymous auth
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}anEncryptedPassword
olcDbDirectory: /var/lib/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: memberUid eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: cn pres,sub,eq
olcDbIndex: mail pres,sub,eq
olcDbIndex: sn pres,sub,eq
olcDbIndex: givenname eq,subinitial
olcDbIndex: dc eq
olcDbIndex: krbPrincipalName eq,pres,sub
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey,givenName,sn,photo
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
olcAccess: to *
by self read
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
II - Setup the Directory Information Tree (DIT)
Start the server: $ systemctl start slapd
This will create a /var/lib/openldap-data/data.mdb (the directory may differ on your distro). If you have trouble or if you want to reset your OpenLDAP, you can rm -rf /etc/openldap/slapd.d/* /var/lib/openldap-data/{data.mdb,lock.mdb} after stopping slapd service and return to step I.
I changed my slapd.service to destroy /var/lib/openldap-data/lock.mdb because on my setup, this file is not removed when shutting down slapd and this prevents it to start again.
Content of the slapd.service:
# /etc/systemd/system/slapd.service
------------------------------------
[Unit]
Description=OpenLDAP Server Daemon
After=network.target
[Service]
# "-d n" stops slapd from forking
ExecStartPre = /bin/rm -f /var/lib/openldap-data/lock.mdb
ExecStart = /usr/lib64/openldap/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS -d1
ExecStopPost = /bin/rm -f /var/lib/openldap-data/lock.mdb
Restart = always
RestartSec = 180
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/slapd.service.d/00gentoo.conf
------------------------------------
[Service]
Environment="HOME=/var/lib/openldap"
# Use the slapd configuration directory:
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
Environment="SLAPD_URLS=ldaps:/// ldap://127.0.0.1:389/ ldapi://127.0.0.1"
Environment="KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"
Ensure certificates can be read by ldap user:
$ useradd -r letsencrypt
$ chown -R letsencrypt:letsencrypt /etc/letsencrypt
$ gpasswd -a ldap letsencrypt
$ chmod 750 /etc/letsencrypt/{live,archive}
Then add ldif files that builds the DIT:
$ ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f ${PATH_TO_FILES}
# example.com.ldif
------------------------------------
# Create example dn
dn: dc=example,dc=com
dc: example
objectClass: dcObject
objectClass: organization
o: Example Organization
# Create Manager role
dn: cn=Manager,dc=example,dc=com
cn: Manager
description: LDAP Administrator
objectClass: organizationalROle
objectClass: top
roleOccupant: dc=example,dc=com
# users.ldif
------------------------------------
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
description: Users of Example
# groups.ldif
------------------------------------
dn: ou=Group,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
description: Groups of Example
III - Setup the LDAP client
Configure ldap.conf:
# /etc/openldap/ldap.conf
------------------------------------
BASE dc=example,dc=com
URI ldaps://example.com
TLS_CACERT /etc/letsencrypt/live/example/chain.pem
TLS_REQCERT allow
TIMELIMIT 2
Setup Kerberos
I - Configure the server
Server config (mit-krb5):
# /etc/krb5.conf
------------------------------------
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = example.com
admin_server = example.com
default_domain = example.com
database_module = openldap_ldapconf
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=Manager,dc=example,dc=com"
ldap_kadmind_dn = "cn=Manager,dc=example,dc=com"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://example.com
ldap_conns_per_server = 5
}
Then, create the realm: $ kdb5_util -r EXAMPLE.COM create -s
II - Configure OpenLDAP backend
Setup the Kerberos OpenLDAP subtree:
$ kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://127.0.0.1"
and create a local copy of the master key that resides in encrypted form on the KDC’s local disk for linking with OpenLDAP:
$ kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw -f /etc/krb5kdc/service.keyfile cn=Manager,dc=example,dc=com
This is also known as (aka) stash file.
III - Create a principal
Start the MIT Kerberos v5 services (krb5):
$ systemctl start krb5-kdc krb5-kadmind
Systemd services have been taken from ArchLinux packages (since Gentoo didn't provides those files):
krb5-kdc.service:
# /etc/systemd/system/krb5-kdc.service
------------------------------------
[Unit]
Description=Kerberos 5 KDC
[Service]
ExecStart=/usr/sbin/krb5kdc -n
Restart=always
[Install]
WantedBy=multi-user.target
krb5-kadmind:
# /etc/systemd/system/krb5-kadmind.service
------------------------------------
[Unit]
Description=Kerberos 5 administration server
[Service]
ExecStart=/usr/sbin/kadmind -nofork
[Install]
WantedBy=multi-user.target
Fire up a kadmin console using $ kadmin.local:
Create a principal: $ add_principal root/admin#EXAMPLE.COM
Also create a principal for your current user: $ add_principal root#EXAMPLE.COM
Quit with: $ quit or $ q
Add this principal to kadm5.acl:
# /var/lib/krb5kdc/kadm5.acl
------------------------------------
root/admin#EXAMPLE.COM *
IV - Configure Key Distribution Center (KDC)
Configure kdc.conf:
# /var/lib/krb5kdc/kdc.conf
------------------------------------
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
Then restart krb5 services: $ systemctl restart krb5-kdc krb5-kadmind
V - Setup saslauthd
SASLAuthD is the daemon that will catch SASL requests from LDAP and convert them into Kerberos (or whatever authentication mecanism you use) requests. It is required if you want to use passwords of you're authentication service instead of LDAP passwords and will allow you for example:
userPassword: {SASL}user#EXAMPLE.COM
whereby EXAMPLE.COM is your realm and user is a principal.
Configure SASL2 slapd:
# /etc/sasl2/slapd.conf (Gentoo) or /usr/lib/sasl2 (Ubuntu)
------------------------------------
pwcheck_method:saslauthd
Make sure saslauthd is using Kerberos v5:
# /etc/conf.d/saslauthd (Gentoo) or /etc/default/saslauthd (Ubuntu)
------------------------------------
# -a describe the mechanism used
# -m is the working directory, where socket will be located
SASLAUTHD_OPTS="-a kerberos5 -m /run/saslauthd"
You can check the parameters in the man page or using $ saslauthd -h. Make sure to use the appropriate variables in this files. You can see which one are used with $ systemctl cat saslauthd on a systemd setup.
Make also sure the socket (/run/saslauthd/mux) is readable / writable by saslauthd.
Start the service using
$ systemctl start saslauthd
and check saslauthd is working using:
$ testsaslauthd -r YOURREALM -u someusernameyouwant -p somepassword
VI - Setup GSSAPI/SASL Authentication
Open up a kadmin console using $ kadmin.local and create GSSAPI principals and keytab files:
First create a service principal inside Kerberos database for your directory server, and create a keyfile containing an entry for that principal into openldap configuration directory.
You can replace instances of example.com but ldap/ should be written litteraly.
$ addprinc -randkey ldap/example.com#EXAMPLE.COM
$ ktadd -k /etc/openldap/ldap.keytab ldap/example.com#EXAMPLE.COM
Then create a host principal for the client, and its keytab. You can replace instances of example.com but host/ should be written litteraly.
$ addprinc -randkey host/example.com#EXAMPLE.COM
$ ktadd -k /etc/krb5.keytab host/example.com#EXAMPLE.COM
And quit: $ quit
Make sure ldap.keytab is readable for ldap user/group only:
$ chown ldap:ldap /etc/openldap/ldap.keytab
$ chmod 640 /etc/openldap/ldap.keytab
Ensure to get a fresh Kerberos ticket:
$ kinit
And it's done, you've setup a Kerberos server with OpenLDAP backend.
You can now tell OpenLDAP to use Kerberos passwords when you create / modify users:
userPassword: {SASL}root#EXAMPLE.COM
For example, you can create a file.ldif containing the following, and add it using ldapadd as previously:
dn: uid=root,ou=People,dc=example,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SASL}root#EXAMPLE.COM
loginShell: /bin/zsh
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
You can also search using ldapsearch with no arguments.
Troubleshooting
As my initial question is now solved
Server ldap/example.com#EXAMPLE.COM not found in Kerberos database)
here are some tips when you encounter some problems:
Check logs
slapd.service: Use journalctl -xe (My service type is not Forking, and the flag -d 9 will print the log in systemd journal. You can disable logging with -d 0, but keep the flag -d, or declare it as Type: Forking)
krb5-kdc: Check out /var/log/krb5/kdc.log or whatever you've set inside /etc/krb5.conf
krb5-kadmind: Check /var/log/krb5/kadmind.log or whatever you've set inside /etc/krb5.conf
saslauthd: You need to enable debugging with flag -d. Either run saslauthd in a shell with this flag or add this flag to /etc/conf.d/saslauthd (Gentoo) or /etc/default/saslauthd (Ubuntu) and use journalctl -xe to see them.
Problem
Server ldap/example.com#EXAMPLE.COM not found in Kerberos database
When I run $ ldapsearch or $ ldapwhoami, I'm having the following error:
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/example.com#EXAMPLE.COM not found in Kerberos database)
Solution
Check that you correctly followed step V and VI of Kerberos setup. You need a keytab readable by OpenLDAP. You can place it where you want and name it as you want. Also make sure the Environmental variable KRB5_KTNAME is set (either in systemd service or in you're init system / in the shell you run slapd), pointing to that keytab.
The host keytab should be placed at /etc/krb5.keytab. It may not be important for ldapsearch / ldapapi (I didn't check if it works without) but it is required for daemons such as SSSD.
Problem
ldap_sasl_interactive_bind_s: Invalid credentials (49)
When I run $ ldapsearch or $ ldapwhoami, I'm having the following error :
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
Solution
Try to refresh you're Kerberos ticket: $ kinit
Credits
Hope those steps could help some others beginners, credits goes to:
https://wiki.archlinux.org/index.php/Kerberos
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
And some others guides (check out Setting Up Kerberos Authentication on Fedora)

Ok so I finally solved my answer :
I simply needed to create the server on Kerberos, and create a keyfile containing it.
$ addprinc -randkey ldap/example.com#EXAMPLE.COM
$ ktadd -k /etc/openldap/ldap.keytab ldap/example.com#EXAMPLE.COM
Slapd wasn't aware of that file so I added the environment variable to my slapd.service :
# /etc/krb5.conf
------------------------------------
Environment="KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"
I also needed to configure saslauthd and run it :
Configure daemon :
# /etc/conf.d/saslauthd (gentoo) or /etc/default/saslauthd (ubuntu)
------------------------------------
# -a describe the mechanism used
# -m is the working directory, where socket will be located
SASLAUTHD_OPTS="-a kerberos5 -m /run/saslauthd"
Configure options :
# /etc/sasl2/slapd.conf (gentoo) or /usr/lib/sasl2 (ubuntu)
------------------------------------
pwcheck_method:saslauthd
Start it : $ systemctl start saslauthd
An error then showed up :
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
This was because my kerberos ticket expired.
I just ran $ kinit and it solved the problem.
I edited the question to add missing steps to the "guide" part, feel free to edit name / improve it / copy / paste. Thanks.

SSHA password encryption on OpenLDAP

My current problem is that i cannot stop OpenLDAP to store passwords as plaintext. In an older openLDAP version , i entered following configuration in the slapd.conf
ppolicy_hash_cleartext
password-hash {SSHA} {SHA}
So once a password was sent from my application as plaintext, the ldap was encrypting it and storing it encrypted.
Unfortunately i was not able to configure OpenLDAP 2.4.40. I found out that the slapd.conf does not exist anymore in the newer version and instead the configuration is taking place in the cn=config.ldif file.
I tried to add again the same configuration there but it seems that it has no effect.
EDIT : I added with ldapmodify the olcPasswordHash: {SSHA} entry in olcBackend={0}mdb.ldif , olcDatabase={1}mdb.ldif , olcDatabase={0}config.ldif and cn=config.ldif , still my passwords that are sent as plaintext are stored as plaintext.

Took some time, but figured out finally.
Load schema describing ppolicy attributes.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
Create a ppolicy_module.ldif with the following content and make sure that the ppolicy.la is located under the defined olcModulePath. Store the file under /etc/ldap
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap
Add the ppolicy_module.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_module.ldif
Create a ppolicy-overlay.ldif file with the following content. Make sure of the olcDatabase number . In this case it is olcDatabase={1}mdb . Store the file under /etc/ldap
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
Add LDIF file.
ldapadd -Y EXTERNAL -H ldapi:/// -f ./ppolicy-overlay.ldif
Restart ldap.
More details under:
https://fedorahosted.org/sssd/wiki/openldap_ppolicy

What's wrong with the new added ldap database?

I add a new domain to openldap mdb database, but I can not access it, what's the problem?
Here is the process:
$ ldapadd -H ldapi:// -Y EXTERNAL -f newdb.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"
cat newdb.ldif
dn: olcDatabase=mdb,cn=config
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example01,dc=com
olcRootDN: cn=admin,dc=example01,dc=com
olcRootPW: {SSHA}J9qNsUzm8nVDQdqWV6XUC0vZQWtml7Cs
I can list it through search base "cn=config":
$ ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={21}mdb,cn=config
olcSuffix: dc=example01,dc=com
olcRootDN: cn=admin,dc=example01,dc=com
olcRootPW: {SSHA}J9qNsUzm8nVDQdqWV6XUC0vZQWtml7Cs
But I can not access it, and I can not add items to it:
$ ldapsearch -H ldapi:// -Y EXTERNAL -b 'dc=example01,dc=com' -s base '(objectclass=*)' -LLL -Q
No such object (32)
Any help is appreciated.

Adding the configuration for a new database doesn't create the top entry of in that database.
You need to use ldapadd to add the entry "dc=example01,dc=com" (with an objectClass Domain)

Change password using LDIF file

I have an LDIF file that contains a bunch of test users.
I would like to change the password for some of these users and was wondering what would be the best way to do so.

Use ldapmodify with LDIF, for example:
ldapmodify -h hostname -p port -D dn -w password <<!
dn: uid=user,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: new-password
!
or specify a filename:
ldapmodify -c -a -f file.ldif -h hostname -p port -D dn -w password
Of course, use the correct attribute names, distinguished names, and so forth. The distinguished name used for the bind of the ldapmodify tool must have access rights to modify the password of the distinguished name specified in the LDIF.
see also
LDIF: rfc2849
LDAP: Using ldapmodify