The documentation for the unicodePwd
attribute describes two ways to change a password:
- Sending a "delete" and an "add" operation in the same LDAP request. This uses the old password as the authorization to change the password. This is what a user would normally do themselves if they did Ctrl+Alt+Del -> Change password in Windows.
- Sending a "replace" operation, which is the same as an administrator resetting the password. This requires that you already authenticated with an account that has permission to reset the password.
If I understand you correctly, you want to avoid option 2. So the trick will be to send an "add" and "delete" request in the same request. To do that, you can use ldap_modify_batch
. In fact, there is an example of it on the documentation page itself:
<?php
function adifyPw($pw)
{
return iconv("UTF-8", "UTF-16LE", '"' . $pw . '"');
}
$dn = "cn=Jack Smith-Jones,ou=Wizards,dc=ad,dc=example,dc=com";
$modifs = [
[
"attrib" => "unicodePwd",
"modtype" => LDAP_MODIFY_BATCH_REMOVE,
"values" => [adifyPw("Tr0ub4dor&3")],
],
[
"attrib" => "unicodePwd",
"modtype" => LDAP_MODIFY_BATCH_ADD,
"values" => [adifyPw("correct horse battery staple")],
],
];
ldap_modify_batch($connection, $dn, $modifs);
Note that you may have to connect over a secure connection (LDAPS, usually on port 636) for AD to allow this.