Hi all,

I am building a simple webpage to allow users to manage their LDAP passwords. I have successfully built a script that allows a user to change their LDAP password, however, I am stuck on a script that would reset their password.

Here is the code I am using to reset the password:

PHP Code:
// connect to the ldap server
$connection ldap_connect($server) or die('Cannot connect to LDAP server');

// bind to the ldap server
if(!ldap_bind($connection$bindDn$bindPassword)) {
  echo 
'Cannot bind to LDAP server<br>';
}

// get the user dn
$userSearch ldap_search($connection$baseDn,"(|(uid=$username))");
$userEntry ldap_first_entry($connection$userSearch);
$userDn ldap_get_dn($connection$userEntry);

// make up a fake password
$chars 'qwrtyipsdfgghjklzxcvbnmQWRTYPSDFGHJKLZXCVBNM1234567890!@#$%^&*-=_+",.?';
$passwordLength 12;
$password '';

// create the fake password
for($i 0$i $passwordLength$i++) {
  
$password .= $chars[rand(0strlen($chars))];
}

// now change the password
$encodedPassword '{SHA}'.base64_encode(pack('H*'sha1($password)));

if(@
ldap_mod_replace($connection$userDn, array('userPassword' => $encodedPassword)) === false) {
    echo 
ldap_error($connection);
}

// mail the user their new password 
The result of this code being run is

Insufficient access
Which is the result of the ldap_mod_replace command.

The only difference between this code and the code I use to change a user's password is that I bind as the user with their password.

Obviously, I cannot do that on a user that has forgotten their password.

I do not manage the LDAP installation nor do I know anything about managing one. Is the issue that the user I bind with initially is not set up to change just anyone's password?

If that is the case, what do I need to tell my sys admin to do?

If not, what is the problem?