LDAP/PHP change password problem

[realjumper]

Hi,

We are running LDAP on our OS X 10.4 machine to authenticate users on our network of some 900 users. Our intranet which used to authenticate via a Mysql database, now authenticate via LDAP, which is great as it is less work for me to do! However, using PHP, I would like to allow users to change their passwords if they so choose, but I just can't seem to get this working. Below is my code, and below my code is the result from running this code. If someone could help me out here, I would be most grateful. Thanks

$username = justme;
$passwd = testpass;
  
$ds=ldap_connect("xxx.xx.xxx.x");
if(!$ds)
{
print "Cannot authenticate at this time...please try again soon";
exit(0);
}

else
{
print "<br>connected";


   $newpass = "skydive";
   $username = "$username";
   $base_dn = "cn=users, dc=directory,dc=xxx,dc=xx,dc=xx";
   $rdn = "uid=$username, " . $base_dn;
   
   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);

   if ($ldapbind) 
       {
    echo "<p>Bind successful"; 

if(ldap_modify($ds, $rdn, $newpass)) 
{ 
echo "<p>The entry was modified successfully"; 
 } 
else { 
     echo "<p>The entry couldnt be modified"; 
     } 

       } //end of bind if condition 
    } //end of connect if condition

The result from running this code:

connected

Bind successful

The entry couldnt be modified

 

[cotatech]

while i also am trying to set up a system to do this (and it's not quite working yet...) I can tell you that your first problem is on your third line of code:

$ds=ldap_connect("xxx.xx.xxx.x");


To modify an LDAP from a php script you a required to connect with the LDAP secure protocol. The default is a standard unencrypted LDAP connection which is read only. So change your code to:

$ds=ldap_connect("ldaps://xxx.xx.xxx.x");

... and your script should probably work otherwise. If it doesn't there are a few other things I can think of:

1) to successfully connect with LDAP Secure you have to have a trusted certificate from the server. I've successfully set this up exactly one time. (this was with an active directory). I'm currently running apple's open directory so i don't have to bother with the certificates.

2) I don't know if you can just give it a plaintext password to change it to. Here's a section of code I used to modify an active directory password:

$adduserAD["unicodePwd"] = $this->convertPwd($password);

function convertPwd($newPassword)
/*
Converts an ASCII password into an active directory compatible unicode password
Returns unicode password.
*/
{
// prepare data
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for ($i = 0; $i < $len; $i++) { $newPassw .= "{$newPassword{$i}}\000"; }
$newPassword = $newPassw;
return $newPassword;
} // convertPwd



Now I got that function from another website (i'm not sure which at this point) and modified it to work with my needs.

Good luck!