I'm building an application authenticating against MS Active Directory using LDAP. We have a password policy where user passwords expire.
How can I set a user password without using an AD-administrator through ldap in PHP?
I've seen many approaches but all of them use an administrator account which is from my point of view a security risk.
分享 The documentation for the unicodePwd attribute describes two ways to change a password:
If I understand you correctly, you want to avoid option 2. So the trick will be to send an "add" and "delete" request in the same request. To do that, you can use ldap_modify_batch. In fact, there is an example of it on the documentation page itself:
<?php
function adifyPw($pw)
{
return iconv("UTF-8", "UTF-16LE", '"' . $pw . '"');
}
$dn = "cn=Jack Smith-Jones,ou=Wizards,dc=ad,dc=example,dc=com";
$modifs = [
[
"attrib" => "unicodePwd",
"modtype" => LDAP_MODIFY_BATCH_REMOVE,
"values" => [adifyPw("Tr0ub4dor&3")],
],
[
"attrib" => "unicodePwd",
"modtype" => LDAP_MODIFY_BATCH_ADD,
"values" => [adifyPw("correct horse battery staple")],
],
];
ldap_modify_batch($connection, $dn, $modifs);
Note that you may have to connect over a secure connection (LDAPS, usually on port 636) for AD to allow this.
分享
