[GH-ISSUE #473] Create a CLI tool to change password #179

New issue

Closed

opened 2026-02-27 08:15:42 +03:00 by kerem · 8 comments

kerem commented 2026-02-27 08:15:42 +03:00

Owner

Copy link

Originally created by @behrooz on GitHub (Mar 16, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/473

I cant find any sample how to create a user and change password with graphql
could you please help me to write one
I am working with python graphql and i want to request to lldap change password graphql
thanks

Originally created by @behrooz on GitHub (Mar 16, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/473 I cant find any sample how to create a user and change password with graphql could you please help me to write one I am working with python graphql and i want to request to lldap change password graphql thanks

kerem 2026-02-27 08:15:42 +03:00

• closed this issue
• added the
  enhancement
  backend
  labels

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Mar 16, 2023):

Currently there's no way to change the password of a user via GraphQL, and I don't plan on adding one:

• the easiest is to create the user and let them set the password themselves through password reset (via the web interface)
• otherwise you can set the password through LDAP (or with e.g. keycloak going through LDAP)

The reasoning for that is that:

• I don't provide a HTTPS interface bit instead count on the admin to wrap the API behind a proxy with HTTPS.
• as such, by default, I don't trust the HTTP interface and I don't want clear text passwords in there.
• setting the passwords via OPAQUE (what the web UI does) works even over plain HTTP because it's a zero knowledge protocol that doesn't reveal any info about the password.
• LDAP is supposed to be only open to the internal network (or just the other docker containers) rather than the entire internet, so it's considered safer (and you have LDAPS as well)

What I could do is provide a client binary that sets a user's password through OPAQUE from the command line: you give it the server url, the admin credentials, and the user credentials you want to set, and it does the safe password negotiation with the server. Would that work for you?

<!-- gh-comment-id:1471469882 --> @nitnelave commented on GitHub (Mar 16, 2023): Currently there's no way to change the password of a user via GraphQL, and I don't plan on adding one: - the easiest is to create the user and let them set the password themselves through password reset (via the web interface) - otherwise you can set the password through LDAP (or with e.g. keycloak going through LDAP) The reasoning for that is that: - I don't provide a HTTPS interface bit instead count on the admin to wrap the API behind a proxy with HTTPS. - as such, by default, I don't trust the HTTP interface and I don't want clear text passwords in there. - setting the passwords via OPAQUE (what the web UI does) works even over plain HTTP because it's a zero knowledge protocol that doesn't reveal any info about the password. - LDAP is supposed to be only open to the internal network (or just the other docker containers) rather than the entire internet, so it's considered safer (and you have LDAPS as well) What I could do is provide a client binary that sets a user's password through OPAQUE from the command line: you give it the server url, the admin credentials, and the user credentials you want to set, and it does the safe password negotiation with the server. Would that work for you?

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@behrooz commented on GitHub (Mar 16, 2023):

Thank you for clear answer, bu i need and api to create a user with password or change it, i think i should look for another way to fit me

<!-- gh-comment-id:1471679670 --> @behrooz commented on GitHub (Mar 16, 2023): Thank you for clear answer, bu i need and api to create a user with password or change it, i think i should look for another way to fit me

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Mar 16, 2023):

As I mentioned, one option is to have a separate binary that'll do the OPAQUE negotiation for you. You can already create a user with GraphQL, without password. The flow (from python) would then look like:

• Using the GraphQL API, create the user
• Then call a simple binary with parameters to set the password of that user (using e.g. subprocess.run(['lldap_set_password', '--jwt_token', token, '--user', user, '--password', password, '--url', server_url])).

Would that work for you?

<!-- gh-comment-id:1471695084 --> @nitnelave commented on GitHub (Mar 16, 2023): As I mentioned, one option is to have a separate binary that'll do the OPAQUE negotiation for you. You can already create a user with GraphQL, without password. The flow (from python) would then look like: - Using the GraphQL API, create the user - Then call a simple binary with parameters to set the password of that user (using e.g. `subprocess.run(['lldap_set_password', '--jwt_token', token, '--user', user, '--password', password, '--url', server_url])`). Would that work for you?

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@behrooz commented on GitHub (Mar 16, 2023):

That is good but id dont understand simple binary
what is subprocess ? how to install and run it ?

<!-- gh-comment-id:1471701801 --> @behrooz commented on GitHub (Mar 16, 2023): That is good but id dont understand simple binary what is subprocess ? how to install and run it ?

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Mar 16, 2023):

You mentioned you're using python, right? subprocess is part of the standard library (https://docs.python.org/3/library/subprocess.html), and it's the most common way of calling external binaries (external programs). For instance, if you want to call ls -l like you would do from the shell, you can do subprocess.run(["ls", "-l"]) in your python code. This will call from your python code the external program ls with the option -l.

Similarly, if we had a program called lldap_set_password, you could write what I wrote above to call and run it, like you would be able to do from your shell (from the shell you'd write lldap_set_password --jwt_token abcdef --user tom --password superPa55w0rd --url lldap.my_server.com).

This program doesn't exist yet (lldap_set_password), but I'm proposing to create it as a way to solve this problem.

<!-- gh-comment-id:1471729105 --> @nitnelave commented on GitHub (Mar 16, 2023): You mentioned you're using python, right? `subprocess` is part of the standard library (https://docs.python.org/3/library/subprocess.html), and it's the most common way of calling external binaries (external programs). For instance, if you want to call `ls -l` like you would do from the shell, you can do `subprocess.run(["ls", "-l"])` in your python code. This will call from your python code the _external program_ `ls` with the option `-l`. Similarly, _if we had a program called `lldap_set_password`_, you could write what I wrote above to call and run it, like you would be able to do from your shell (from the shell you'd write `lldap_set_password --jwt_token abcdef --user tom --password superPa55w0rd --url lldap.my_server.com`). This program _doesn't exist yet_ (`lldap_set_password`), but I'm proposing to create it as a way to solve this problem.

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@behrooz commented on GitHub (Mar 16, 2023):

So it should work inside docker container when i call lldap_set_password itself
but it return
bash: lldap_set_password: command not found
should i run it in specific directory ?

<!-- gh-comment-id:1471750410 --> @behrooz commented on GitHub (Mar 16, 2023): So it should work inside docker container when i call lldap_set_password itself but it return bash: lldap_set_password: command not found should i run it in specific directory ?

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Mar 16, 2023):

As I mentioned just above: This program doesn't exist yet, but I'm proposing to create it as a way to solve this problem.

<!-- gh-comment-id:1471759880 --> @nitnelave commented on GitHub (Mar 16, 2023): As I mentioned just above: _This program doesn't exist yet_, but I'm proposing to create it as a way to solve this problem.

kerem commented 2026-02-27 08:15:43 +03:00

Author

Owner

Copy link

@nitnelave commented on GitHub (Mar 17, 2023):

Let's keep the issue open to track the creation of the tool.

<!-- gh-comment-id:1473431269 --> @nitnelave commented on GitHub (Mar 17, 2023): Let's keep the issue open to track the creation of the tool.

kerem referenced this issue 2026-02-27 08:18:07 +03:00

[PR #181] [MERGED] ldap: add support for memberOf attribute #594

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/github_actions/codecov/codecov-action-6

copilot/fix-equality-filters-list-attributes

dependabot/github_actions/docker/build-push-action-7

dependabot/github_actions/docker/metadata-action-6

dependabot/github_actions/docker/setup-buildx-action-4

dependabot/github_actions/docker/login-action-4

copilot/update-download-artifact-action

copilot/fix-opensuse-warnings

copilot/fix-1268

copilot/fix-727

copilot/fix-898

copilot/fix-1256

copilot/fix-1251

copilot/fix-1249

copilot/fix-1206

user-attribute-form

user-ui

group-ui

server-user-attribute-schema

crates

haveibeenpwned

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.0.1

Labels

Clear labels   

backend

  

blocked

  

bug

  

cleanup

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

frontend

  

github_actions

  

good first issue

  

help wanted

  

help wanted

  

integration

  

invalid

  

ldap

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

rust

  

rust

  

tests

  

wontfix

No labels

backend

blocked

bug

cleanup

dependencies

docker

documentation

duplicate

enhancement

enhancement

frontend

github_actions

good first issue

help wanted

help wanted

integration

invalid

ldap

pull-request

question

rust

rust

tests

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/lldap-lldap#179

No description provided.