
July 9th, 2009, 02:00 PM
|
|
Registered User
|
|
Join Date: Jul 2009
Posts: 1
Time spent in forums: 24 m 10 sec
Reputation Power: 0
|
|
|
Need an helpin' hand
Hi Guys,
here's my situation, i've finally got to work to modify a user password with AD administrator account thru ldaps, but as the password is available in clear text in my PHP code, i'd like to get a workaround. Then,
binding with the user password supplied works fine, but trying to modify/replace unicodePwd attribute just does not work and let me with this error message:
Code:
ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access
if you have any idea on how to figure out why, and how to succeed, here's my source code followed by my configuration:
PHP Code:
$uid = $user->name;
$bindDn="CN=$user_cn,OU=People,DC=xxxxx,DC=xxxx";
$bindPassword = $gen_pwd;
$baseDn = 'ou=people,dc=xxxx,dc=xxxxx';
$protocolVersion = 3;
$ldap = ldap_connect('ldaps://ad.myserver.com');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $protocolVersion))
{
exit('Failed to set protocol version to '.$protocolVersion);
}
// bind anonymously so that we can verify if the server really is running
ldap_bind($ldap);
if (ldap_errno($ldap) !== 0)
{
exit('Could not connect to eSG LDAP server');
}
// now bind with the correct username and password
ldap_bind($ldap, $bindDn, $bindPassword);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: '.ldap_error($ldap));
}
$searchResults = ldap_search($ldap, $baseDn, 'uid='. $uid);
// no matching records
if ($searchResults === false)
{
exit('No user found ');
}
if (!is_resource($searchResults))
{
exit('Error in search results.');
}
/* create the unicode password
$newpassword = $newPassword;
$newpassword = "\"" . $newpassword . "\"";
$newPass = mb_convert_encoding($newpassword, "UTF-16LE");
*/
// password creation 2nd technique
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for ($i = 0; $i < $len; $i++)
$newPassw .= "{$newPassword{$i}}\000";
$newPassword = $newPassw;
$userdata["unicodePwd"] = $newPassword;
$entry = ldap_first_entry($ldap, $searchResults);
if (!is_resource($entry))
{
exit('Couldn\'t get entry');
}
$userDn = ldap_get_dn($ldap, $entry);
echo("<br>");
//ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));
//ldap_mod_replace($ldap, $userDn , array('unicodePwd' => $newPass));
ldap_mod_replace($ldap, $userDn , $userdata);
Windows server 2003
Apache2/PHP 5.2
LDAPS is on
Thanks for you help.
Flo.
Quote: | Originally Posted by Clockwatcher I got it done finally, but it is not possible with PHP as fars I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl. |
|