Reputation: 83
adLDAP user must change password
I have to let the user change his password when on the Active Directory System the flag, "user has to change password" ist set.
That just works when I grant adLDAP access via my AD Adminsitrator.
So, when a user trys to login I check if the attribute "pwdlastset" has a value that indicates, that the user has to change his password. When yes I redirect him to a renew pw dialog.
The Problem at this solution is, that when the user enters a invalid initial password I also would redirect him. Because I cant validate him. When I try to bind the user, with the attribute "pwdlastet" set it always returns me an error "Unable to bind".
$adldap = new \adLDAP(array("base_dn" => $basedn, "account_suffix" => $accsuffix,"domain_controllers" => $dc,"admin_username" => $adminuser, "admin_password" => $adminpw));
//Get Requesting Users "pwdLastSet" Field over the Admin Account
$userToAuthInfo = $adldap->user()->info($name,"pwdlastset");
if($userToAuthInfo[0]["pwdlastset"][0] == 0)
{
//redirect user to pwd renew
}
else
{
//bind user and redirect to home
}
Does anybody know how I could solve this ? I thought if a seperate attribute with the pw would exist I could request that and check if its the same. But when i'm not wrong I think such an attribute does not exist.
Upvotes: 0
Views: 3810
Answers (1)
Reputation: 12262
function userchange($username,$pwdLastSetVal,$domadlogin,$domadpw,$domctrl)
{
$ldapServer = $domctrl;
$ldapBase = 'OU= ,DC= ,DC= '; //be sure to set this according to your ldap settings
$ds = ldap_connect($ldapServer);
if (!$ds)
die('Cannot Connect to LDAP server');
$ldapBind = ldap_bind($ds,$domadlogin,$domadpw);
if (!$ldapBind)
die('Cannot Bind to LDAP server');
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Error setting LDAP version");
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0) or die("Error setting referrals option");
$attrs = array("samaccountname", "pwdlastset");
$filter = "(samaccountname=".$username.")";
$sr = ldap_search($ds, $ldapBase, $filter, $attrs);
$ent= ldap_get_entries($ds,$sr);
$dn=$ent[0]["dn"];
$userdata=array();
$userdata["pwdlastset"][0]=$pwdLastSetVal;
ldap_modify($ds, $dn, $userdata); //change state
ldap_close($ds);
}
// -1 or 0 after the username parameter
userchange($username, -1, $domadlogin, $domadpw, $domctrl);
I would call this function and pass -1 just before you try and bind the user and change their password to something new, if the bind is successful (the user supplied the incorrect current password), then call the userchange function again and pass 0, so it sets it back to what it was before and the user can try again. When the user successfully binds and sets their new password, you can call the userchange function and pass -1 in after the $username parameter.
Upvotes: 3
Related Questions
- LDAP CHANGE PASSWORD PHP
- Change LDAP user password using PHP in windows server 2008
- PHP-LDAP change password
- PHP and OPENLDAP, can't change password expired error: Invalid credentials
- Changing Active Directory user password with PHP script
- Changing (not resetting) a users password using PHP LDAP
- Issue updating AD password using PHP
- PHP & IIS: LDAPS Connection for Password Change
- When authenticating user in adLDAP the result is "User authentication unsuccessful"
- php ldap user password change ldap_modify ldap_mod_replace