hashicorp · jadeidev · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
@@ -100,7 +100,8 @@ func testBackendConfig() *logical.BackendConfig {
 var _ ldapClient = (*fakeLdapClient)(nil)
 
 type fakeLdapClient struct {
-	throwErrs bool
+	throwErrs                   bool
+	throwsInvalidCredentialsErr bool
 }
 
 func (f *fakeLdapClient) UpdateUserPassword(_ *client.Config, _ string, _ string) error {
@@ -119,6 +120,16 @@ func (f *fakeLdapClient) UpdateDNPassword(_ *client.Config, _ string, _ string)
 	return err
 }
 
+func (f *fakeLdapClient) UpdateSelfManagedDNPassword(_ *client.Config, _ string, _ string, _ string) error {
+	var err error
+	if f.throwErrs {
+		err = errors.New("forced error")
+	} else if f.throwsInvalidCredentialsErr {
+		err = errors.New("invalid credentials")
+	}
+	return err
+}
+
 func (f *fakeLdapClient) Execute(_ *client.Config, _ []*ldif.Entry, _ bool) error {
 	var err error
 	if f.throwErrs {

@@ -4,6 +4,7 @@
 package openldap
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/go-ldap/ldap/v3"
@@ -17,6 +18,7 @@ import (
 type ldapClient interface {
 	UpdateDNPassword(conf *client.Config, dn string, newPassword string) error
 	UpdateUserPassword(conf *client.Config, user, newPassword string) error
+	UpdateSelfManagedDNPassword(conf *client.Config, dn, currentPassword, newPassword string) error
 	Execute(conf *client.Config, entries []*ldif.Entry, continueOnError bool) error
 }
 
@@ -87,6 +89,22 @@ func (c *Client) UpdateUserPassword(conf *client.Config, username string, newPas
 	return c.ldap.UpdatePassword(conf, conf.UserDN, ldap.ScopeWholeSubtree, newValues, filters)
 }
 
+func (c *Client) UpdateSelfManagedDNPassword(conf *client.Config, dn string, currentPassword string, newPassword string) error {
+	if dn == "" {
+		// Optionally implement a search to resolve DN from username, userdn, userattr in cfg.
+		return errors.New("user DN resolution not implemented")
+	}
+	if currentPassword == "" || newPassword == "" {
+		return fmt.Errorf("both current and new password must be provided for self-managed password changes on dn: %s", dn)
+	}
+
+	scope := ldap.ScopeBaseObject
+	filters := map[*client.Field][]string{
+		client.FieldRegistry.ObjectClass: {"*"},
+	}
+	return c.ldap.UpdateSelfManagedPassword(conf, dn, scope, currentPassword, newPassword, filters)
+}
+
 func (c *Client) Execute(conf *client.Config, entries []*ldif.Entry, continueOnError bool) (err error) {
 	return c.ldap.Execute(conf, entries, continueOnError)
 }
@@ -121,6 +121,78 @@ func (c *Client) UpdatePassword(cfg *Config, baseDN string, scope int, newValues
 	return c.UpdateEntry(cfg, baseDN, scope, filters, newValues)
 }
 
+// UpdateSelfManagedPassword performs a least‑privilege, self‑service password change.
+// Behavior by schema:
+//   - Active Directory: issues a Delete (current value) followed by an Add (new value)
+//     because a direct Replace (like the one done in `UpdateEntry`) typically requires elevated privileges.
+//   - OpenLDAP: uses the RFC 3062 PasswordModify extended operation. If the underlying
+//     connection does not support it, falls back to UpdateEntry (privileged replace).
+//   - RACF: not implamneted yet.
+func (c *Client) UpdateSelfManagedPassword(cfg *Config, dn string, scope int, currentValue string, newValue string, filters map[*Field][]string) error {
+	if currentValue == "" || newValue == "" {
+		return fmt.Errorf("both current and new password must be provided for self-managed password changes on dn: %s", dn)
+	}
+	// Use a copy of the config to avoid modifying the original with the bind dn/password for rotation
+	rotationConfEntry := *cfg.ConfigEntry
+	rotationConfEntry.BindDN = dn
+	rotationConfEntry.BindPassword = currentValue
+	rotationConf := *cfg
+	rotationConf.ConfigEntry = &rotationConfEntry
+	// perform self search to validate account exists and current password is correct
+	entries, err := c.Search(&rotationConf, dn, scope, filters)
+	if err != nil {
+		return err
+	}
+	if len(entries) != 1 {
+		return fmt.Errorf("expected one matching entry, but received %d", len(entries))
+	}
+	conn, err := c.ldap.DialLDAP(rotationConf.ConfigEntry)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	if err := bind(&rotationConf, conn); err != nil {
+		return err
+	}
+	currentSchemaValues, err := GetSchemaFieldRegistry(&rotationConf, currentValue)
+	if err != nil {
+		return fmt.Errorf("error updating password: %s", err)
+	}
+	newSchemaValues, err := GetSchemaFieldRegistry(&rotationConf, newValue)
+	if err != nil {
+		return fmt.Errorf("error updating password: %s", err)
+	}
+	switch rotationConf.Schema {
+	case SchemaAD:
+		modifyReq := &ldap.ModifyRequest{
+			DN: entries[0].DN,
+		}
+		for field, vals := range currentSchemaValues {
+			modifyReq.Delete(field.String(), vals)
+		}
+		for field, vals := range newSchemaValues {
+			modifyReq.Add(field.String(), vals)
+		}
+		return conn.Modify(modifyReq)
+	case SchemaOpenLDAP:
+		req := ldap.NewPasswordModifyRequest(entries[0].DN, currentValue, newValue)
+		pmConn, ok := conn.(interface {
+			PasswordModify(*ldap.PasswordModifyRequest) (*ldap.PasswordModifyResult, error)
+		})
+		if !ok {
+			// Fallback: try privileged replace (may fail if self-change perms required)
+			return c.UpdateEntry(&rotationConf, dn, scope, filters, newSchemaValues)
+		}
+		_, err = pmConn.PasswordModify(req)
+		return err
+	case SchemaRACF:
+		return fmt.Errorf("self managed password changes not supported for RACF schema")
+	default:
+		return fmt.Errorf("configured schema %s not valid", rotationConf.Schema)
+	}
+}
+
 // toString turns the following map of filters into LDAP search filter strings
 // For example: "(cn=Ellen Jones)"
 // when multiple filters are applied, they get AND'ed together.

@@ -267,6 +267,87 @@ func TestUpdatePasswordAD(t *testing.T) {
 	}
 }
 
+func TestUpdateSelfManagedPasswordOpenLDAP(t *testing.T) {
+	testPass := "hell0$catz*"
+	currentPass := "dogs"
+
+	config := emptyConfig()
+	config.Schema = SchemaOpenLDAP
+	config.BindDN = "cn=admin,dc=example,dc=org"
+	config.BindPassword = "admin"
+	dn := "CN=Jim H.. Jones,OU=Vault,OU=Engineering,DC=example,DC=com"
+
+	conn := &ldapifc.FakeLDAPConnection{
+		SearchRequestToExpect: testSearchRequest(),
+		SearchResultToReturn:  testSearchResult(),
+	}
+
+	conn.PasswordModifyRequestToExpect = &ldap.PasswordModifyRequest{
+		UserIdentity: dn,
+		OldPassword:  currentPass,
+		NewPassword:  testPass,
+	}
+	ldapClient := &ldaputil.Client{
+		Logger: hclog.NewNullLogger(),
+		LDAP:   &ldapifc.FakeLDAPClient{conn},
+	}
+
+	client := &Client{ldapClient}
+
+	filters := map[*Field][]string{
+		FieldRegistry.ObjectClass: {"*"},
+	}
+	if err := client.UpdateSelfManagedPassword(config, dn, ldap.ScopeBaseObject, currentPass, testPass, filters); err != nil {
+		t.Fatal(err)
+	}
+	// validate client didnt change
+	assert.Equal(t, "cn=admin,dc=example,dc=org", config.BindDN)
+	assert.Equal(t, "admin", config.BindPassword)
+}
+
+func TestUpdateSelfManagedPasswordAD(t *testing.T) {
+	testPass := "hell0$catz*"
+	currentPass := "dogs"
+	encodedCurrentPass, err := formatPassword(currentPass)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dn := "CN=Jim H.. Jones,OU=Vault,OU=Engineering,DC=example,DC=com"
+	encodedTestPass, err := formatPassword(testPass)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	config := emptyConfig()
+	config.Schema = SchemaAD
+
+	conn := &ldapifc.FakeLDAPConnection{
+		SearchRequestToExpect: testSearchRequest(),
+		SearchResultToReturn:  testSearchResult(),
+	}
+
+	conn.ModifyRequestToExpect = &ldap.ModifyRequest{
+		DN: dn,
+	}
+	conn.ModifyRequestToExpect.Delete("unicodePwd", []string{encodedCurrentPass})
+	conn.ModifyRequestToExpect.Add("unicodePwd", []string{encodedTestPass})
+
+	ldapClient := &ldaputil.Client{
+		Logger: hclog.NewNullLogger(),
+		LDAP:   &ldapifc.FakeLDAPClient{conn},
+	}
+
+	client := &Client{ldapClient}
+
+	filters := map[*Field][]string{
+		FieldRegistry.ObjectClass: {"*"},
+	}
+
+	if err := client.UpdateSelfManagedPassword(config, dn, ldap.ScopeBaseObject, currentPass, testPass, filters); err != nil {
+		t.Fatal(err)
+	}
+}
+
 // TestUpdateRootPassword mimics the UpdateRootPassword in the SecretsClient.
 // However, this test must be located within this package because when the
 // "client" is instantiated below, the "ldapClient" is being added to an

@@ -213,6 +213,45 @@ func Test_UpdateUserPassword(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_UpdateSelfManagedDNPassword_MissingPrameters(t *testing.T) {
+	config := &client.Config{
+		ConfigEntry: &ldaputil.ConfigEntry{
+			Url:          "ldap://ldap.com:389",
+			BindDN:       "cn=admin,dc=example,dc=org",
+			BindPassword: "admin",
+		},
+		Schema: client.SchemaOpenLDAP,
+	}
+
+	c := NewClient(hclog.NewNullLogger())
+	newPassword := "newpassword"
+	err := c.UpdateSelfManagedDNPassword(config, "cn=user1,dc=example,dc=org", "", newPassword)
+	assert.Error(t, err)
+	err = c.UpdateSelfManagedDNPassword(config, "", "currentpassword", newPassword)
+	assert.Error(t, err)
+	err = c.UpdateSelfManagedDNPassword(config, "cn=user1,dc=example,dc=org", "currentpassword", "")
+	assert.Error(t, err)
+}
+
+func Test_UpdateSelfManagedDNPassword(t *testing.T) {
+	ldapServer := setupDockerLDAP(t)
+	config := &client.Config{
+		ConfigEntry: &ldaputil.ConfigEntry{
+			Url:          ldapServer,
+			BindDN:       "cn=admin,dc=example,dc=org",
+			BindPassword: "admin",
+		},
+		Schema: client.SchemaOpenLDAP,
+	}
+	// self rotate this user
+	c := NewClient(hclog.NewNullLogger())
+	err := c.UpdateSelfManagedDNPassword(config, "cn=User1,dc=example,dc=org", "password1", "newpassword")
+	assert.NoError(t, err)
+	// validate client didnt change
+	assert.Equal(t, "cn=admin,dc=example,dc=org", config.BindDN)
+	assert.Equal(t, "admin", config.BindPassword)
+}
+
 func setupDockerLDAP(t *testing.T) string {
 	t.Helper()
 	pool, err := dockertest.NewPool("")

@@ -25,9 +25,10 @@ func (f *FakeLDAPClient) DialURL(addr string, opts ...ldap.DialOpt) (ldaputil.Co
 }
 
 type FakeLDAPConnection struct {
-	ModifyRequestToExpect *ldap.ModifyRequest
-	SearchRequestToExpect *ldap.SearchRequest
-	SearchResultToReturn  *ldap.SearchResult
+	ModifyRequestToExpect         *ldap.ModifyRequest
+	PasswordModifyRequestToExpect *ldap.PasswordModifyRequest
+	SearchRequestToExpect         *ldap.SearchRequest
+	SearchResultToReturn          *ldap.SearchResult
 }
 
 func (f *FakeLDAPConnection) Bind(username, password string) error {
@@ -81,3 +82,10 @@ func (f *FakeLDAPConnection) Add(request *ldap.AddRequest) error {
 func (f *FakeLDAPConnection) Del(request *ldap.DelRequest) error {
 	return nil
 }
+
+func (f *FakeLDAPConnection) PasswordModify(modifyRequest *ldap.PasswordModifyRequest) (*ldap.PasswordModifyResult, error) {
+	if !reflect.DeepEqual(f.PasswordModifyRequestToExpect, modifyRequest) {
+		return nil, fmt.Errorf("Actual modify request: %#v\nExpected: %#v", modifyRequest, f.PasswordModifyRequestToExpect)
+	}
+	return &ldap.PasswordModifyResult{}, nil
+}
@@ -28,6 +28,11 @@ func (m *mockLDAPClient) UpdateUserPassword(conf *client.Config, user string, ne
 	return args.Error(0)
 }
 
+func (m *mockLDAPClient) UpdateSelfManagedDNPassword(conf *client.Config, dn string, currentPassword string, newPassword string) error {
+	args := m.Called(conf, dn, currentPassword, newPassword)
+	return args.Error(0)
+}
+
 func (m *mockLDAPClient) Execute(conf *client.Config, entries []*ldif.Entry, continueOnError bool) (err error) {
 	args := m.Called(conf, entries, continueOnError)
 	return args.Error(0)

@@ -213,6 +213,10 @@ func (f *failingRollbackClient) UpdateDNPassword(conf *client.Config, dn string,
 	return fmt.Errorf("some error")
 }
 
+func (f *failingRollbackClient) UpdateSelfManagedDNPassword(conf *client.Config, dn string, currentPassword string, newPassword string) error {
+	panic("nope")
+}
+
 func (f *failingRollbackClient) UpdateUserPassword(conf *client.Config, user, newPassword string) error {
 	panic("nope")
 }