PHP LDAP change password page

I have recently implemented an SSO (Single Sign On) mechanism in one of my places and then I started to look for a simple quick-and-dirty way to allow the users to change their passwords via PHP.

I have found many complicated examples but I thought, come on, this is really one page I am looking for. So, I have written my own and now I am   sharing it with you.

The page has only two variables at the beginning, letting you set the LDAP server hostname and the binding DN. The script behaves like this:

  1. It connects to ldap via anonymous binding.
  2. Searches for the user specified in the username field by doing a search on the uid= part of DN for any object matching the username.
  3. The found object (if only 1)  is returned to get a full DN with real CommonName.
  4. PHP re-binds as the user using the “current” user password.
  5. New password is being hashed and ldap_modify is called on the DN.
  6. Optionally a confirmation email is sent to the address from mail attribute.

You will have to customize for your needs obviously but it is as simple as modyfying one function. Just for curiosity, write a comment if you have used it for your site in any way.

15 Responses to “PHP LDAP change password page”

  1. Nacho Says:

    Thanks! :)

  2. TGM Says:

    That’s really great. Much better than most of the complex tools I found on web. What I wished, was just to have a simple interface for our users to change their ldap password for web access.

    Thanks a lot.

  3. biji Says:

    thanks a lot…

  4. Bryan Says:

    Dude, this script rocks. I was search all over the web for this type of script and came across this one. Have to say I am not well versed in PHP, but it was easy to install and get working. Does exactly what I need.

    Thanks a lot for writing it.
    Bryan

  5. Bryan Says:

    One little thing, there are two references to $server, which was not defined. I changed them to the $ldap, and it worked.

    You might want to change that in your code.

  6. alfach Says:

    cool, it works

    thanks a lot

  7. bushdoctor Says:

    Thanks for the script Radek.

    Do you need any specific settings in the slapd.conf to allow user changes of passwords? I can get as far as “E200 – Your password cannot be changed” but unfortunately can’t get the passwords to change.

  8. Radek Says:

    Hi

    You just need a standard access to the user’s attributes by the user, this is a standard openldap ACL:

    access to attrs=userPassword,shadowLastChange
    by anonymous auth
    by self write
    by * none

    access to dn.base=”" by * read

    access to *
    by * read

  9. Michael Says:

    thanks a lot but in the 1 line its :

    $server = “localhost”

    but in function you write :

    changePassword($ldap,$dn,$_POST["username"],$_POST["oldPassword"],$_POST["newPassword1"],$_POST["newPassword2"]);

    but something like $ldap is not exist, probably you think about $server, so should be:

    changePassword($server,$dn,$_POST["username"],$_POST["oldPassword"],$_POST["newPassword1"],$_POST["newPassword2"]);

    and its working for me;

    best wishes, Michael;

  10. Radek Says:

    Sure, thanks for that :)
    Fixed.

  11. Christene Says:

    Thank you thank you so much! I have been at my wits end trying to do this. I ended up at a dead end a year ago. My nemesis project just got pushed back to the top of my list and your script is just what I need to get started! Your script just taught me more about interacting with LDAP via php than anything else I’ve read or samples I’ve tried to dissect. I normally work with jsp and this is just about impossible to do with that! Thanks again.

  12. Eduardo Silva Says:

    Thank you very much for this script.
    I was looking for this for a long time!
    :)

  13. Ajowi Says:

    Thanks!
    Works for me.

  14. ELMtree Says:

    Thanks for the great script. Suits my needs perfectly and even looks clean and professional!

  15. Head Says:

    good work.
    but i dont understand this line:

    $rdn = sprintf($dn,$_POST["username"]);

    and i think you have to filter the post values like:

    if (!get_magic_quotes_gpc()) {
    $username = addslashes($_POST['username']);
    $oldPassword = addslashes($_POST['oldPassword']);
    $newPassword1 = addslashes($_POST['newPassword1']);
    $newPassword2 = addslashes($_POST['newPassword2']);
    } else {
    $username = $_POST['username'];
    $oldPassword = $_POST['oldPassword'];
    $newPassword1 = $_POST['newPassword1'];
    $newPassword2 = $_POST['newPassword2'];
    }

    and then use:

    changePassword($server,$dn,$username,$oldPassword,$newPassword1,$newPassword2);

Leave a Reply