Skip to main content
Version: 3.25

Password change examples

Here you can see some password change use cases.

Domain credential password change

Requirements
  • Have a domain credential created
  • The change template
  1. Go to Executions ➔ Settings ➔ Templates, create a new template, or copy the "AD - Change User Password" template.
  2. In the execution template select the LDAP executor and define Execution type as Change password
  3. In this example it would be to change the senhaADM password user, in the content add:
Domain password change template
# Protocol Version
set-option LDAP_OPT_PROTOCOL_VERSION 3
set-option LDAP_OPT_REFERRALS 3

# Execute Bind
bind "cn=[#AUTH_USER#],CN=Users,DC=senhasegura,DC=com"

# Locate User Entry
find "DC=senhasegura,DC=com" (&(objectClass=user)(sAMAccountName=[#USERNAME#]))

# Change Password
mod-replace unicodePwd "u([#NEW_PASSWORD#])"
Note

The CN=Users,DC=senhasegura,DC=com in the bind should be replaced by the DN (distinguished name) where the credential that will execute the change exists.

  1. Go to the credential that will be changed in PAM Core ➔ Credentials ➔ All and click edit.
  2. Go to Execution Settings Tab to enable the automatic change and select the changed plugin to LDAP and Change the template to the one created in the steps before.
  3. Define if the change will be done through the credential itself or another service user credential in the Authentication settings
  4. Now any time that one of the triggersis activated the password of this credential is going to be changed.

Linux user password change

Requirements
  • Have a Linux credential created
  • The change template
  1. Go to Executions ➔ Settings ➔ Templates, create a new template, or copy the Change Password, which will be used in this example
  2. In the execution template select the SSH executor plugin and define Execution type as Change password
  3. In this example it would be to change the senhaADM password user, in the content add:
Linux password change template
# Define english as default language
expect-regex "/[$|#|>]/"
exec "export LC_ALL=C"

# Clear sudo session
expect-regex "/[$|#|>]/"
exec "sudo -k"

# Execute password change
expect-regex "/[$|#|>]/"
exec "sudo passwd -r files [#USERNAME#]"

# Set new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

# Confirm new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

# Confirm password change
expect "*successfully"

# Exit
expect-regex "/[$|#|>]/"
exec "exit"

end
  1. Now go to the credential that will be changed in PAM Core ➔ Credentials ➔ All and click edit
  2. Go to Execution Settings Tab to enable the automatic change and select the changed plugin to SSH and choose the template created in the steps before
  3. Define if the change will be done through the credential itself or another service user credential in the Authentication settings
  4. Now any time that one of the triggers is activated the password of this credential is going to be changed.