PHP LDAP change password page
I have recently implemented an SSO (Single Sign On) mechanism in one of my places and then I started to look for a simple quick-and-dirty way to allow the users to change their passwords via PHP.
I have found many complicated examples but I thought, come on, this is really one page I am looking for. So, I have written my own and now I am sharing it with you.
The page has only two variables at the beginning, letting you set the LDAP server hostname and the binding DN. The script behaves like this:
- It connects to ldap via anonymous binding.
- Searches for the user specified in the username field by doing a search on the uid= part of DN for any object matching the username.
- The found object (if only 1) is returned to get a full DN with real CommonName.
- PHP re-binds as the user using the “current” user password.
- New password is being hashed and ldap_modify is called on the DN.
- Optionally a confirmation email is sent to the address from mail attribute.
You will have to customize for your needs obviously but it is as simple as modyfying one function. Just for curiosity, write a comment if you have used it for your site in any way.
Thanks! :)
That’s really great. Much better than most of the complex tools I found on web. What I wished, was just to have a simple interface for our users to change their ldap password for web access.
Thanks a lot.
thanks a lot…
Dude, this script rocks. I was search all over the web for this type of script and came across this one. Have to say I am not well versed in PHP, but it was easy to install and get working. Does exactly what I need.
Thanks a lot for writing it.
Bryan
One little thing, there are two references to $server, which was not defined. I changed them to the $ldap, and it worked.
You might want to change that in your code.
cool, it works
thanks a lot
Thanks for the script Radek.
Do you need any specific settings in the slapd.conf to allow user changes of passwords? I can get as far as “E200 – Your password cannot be changed” but unfortunately can’t get the passwords to change.
Hi
You just need a standard access to the user’s attributes by the user, this is a standard openldap ACL:
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
access to dn.base=”" by * read
access to *
by * read
thanks a lot but in the 1 line its :
$server = “localhost”
but in function you write :
changePassword($ldap,$dn,$_POST["username"],$_POST["oldPassword"],$_POST["newPassword1"],$_POST["newPassword2"]);
but something like $ldap is not exist, probably you think about $server, so should be:
changePassword($server,$dn,$_POST["username"],$_POST["oldPassword"],$_POST["newPassword1"],$_POST["newPassword2"]);
and its working for me;
best wishes, Michael;
Sure, thanks for that :)
Fixed.
Thank you thank you so much! I have been at my wits end trying to do this. I ended up at a dead end a year ago. My nemesis project just got pushed back to the top of my list and your script is just what I need to get started! Your script just taught me more about interacting with LDAP via php than anything else I’ve read or samples I’ve tried to dissect. I normally work with jsp and this is just about impossible to do with that! Thanks again.
Thank you very much for this script.
I was looking for this for a long time!
:)
Thanks!
Works for me.
Thanks for the great script. Suits my needs perfectly and even looks clean and professional!
good work.
but i dont understand this line:
$rdn = sprintf($dn,$_POST["username"]);
and i think you have to filter the post values like:
if (!get_magic_quotes_gpc()) {
$username = addslashes($_POST['username']);
$oldPassword = addslashes($_POST['oldPassword']);
$newPassword1 = addslashes($_POST['newPassword1']);
$newPassword2 = addslashes($_POST['newPassword2']);
} else {
$username = $_POST['username'];
$oldPassword = $_POST['oldPassword'];
$newPassword1 = $_POST['newPassword1'];
$newPassword2 = $_POST['newPassword2'];
}
and then use:
changePassword($server,$dn,$username,$oldPassword,$newPassword1,$newPassword2);
Thanks for the script. Great work.
I was looking this script all over. You made my life easy. Thanks a ton!!!!
Thank you for shared. Your script it worked.
I try already (SUSE Linux)
Thanks,
Sontaya
http://blog.susethailand.com
It works with CentOS Directory Server 8.1.
Thanks for your effort.Very Good !!!^^
Hi Radek.
I’ve been trying around but it didn’t work for me.
do I need any further configuration ?
I’m using windows XP running:
Appache 2.2.8 for windows
PHP ver 6.
Windows Server 2003 ent – with LDAPS support.
you script keep saying :Found user
E200 – Your password cannot be change, please contact the administrator.
(note that: I am able to connect to LDAPS via port 635 already, and the user already exist on AD) .
Thank you !!
I added the line:
ldap_start_tls($con);
So that I have TLS enabled. Works flawlessly, but could use some minor spellchecking. Exactly what I was looking for otherwise! :-D
Fantastic! Exactly what I needed. Simple and works well.
hey ..
thanks man your script rocks,, hey can i add password expiry in this script. can you write a code which says your password will expire in 45 days and email to me at nauman.yousuf@gmail.com
I am not able to make it work, I just get a “Error E100 – Wrong user”
what to do ?
Thanks so much for writing this! Very simple, elegant, robust. Just what I needed! Kudos!
nice, thank you very much, saved me a lot of thinking ;o)
if you want to use ssha instead of sha, replace
$entry["userPassword"] = “{SHA}” . base64_encode( pack( “H*”, sha1( $newPassword ) ) );
with
mt_srand((double)microtime()*1000000);
$salt = pack(“CCCC”, mt_rand(), mt_rand(), mt_rand(), mt_rand());
$entry["userPassword"] = “{SSHA}” . base64_encode( pack( “H*”, sha1( $newPassword . $salt ) ) . $salt );
Thanks for sharing. Exactly what I needed.
Just wanted to drop yet another note to say thanks. Plugged it into our intranet and works like a charm!
Hi,
First off, thank you very much for this! I was able to get it running but fail at changing the actual password. I can confirm that users can change their passwords but usually only when they are logged in to the Windows PC- a little background: I have Samba PDC + OpenLDAP and I have noticed that users can only change their passwords when they are logged in to the PC and pressing Ctrl+Alt+Del so I am wondering if it is an ACL issue? I saw something above but the last time I messed with ACL’s I nearly broke the entire LDAP Domain system by doing so- that said, any help you could give me to get debug this issue further would be great (eg: some variables to tune the debugging, etc)- I can probably work through most of it since I am pretty well versed in PHP but have never messed with the LDAP libraries for it.
Thanks again
Hey, nevermind! To resolve I uncommented what was in the default slapd.conf
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by self write
by anonymous auth
by * none
Which actually led to LDAP failing to authenticate any users so I had to also uncomment the next part
## all others attributes are readable to everybody
access to *
by * read
I guess if you have everything commented out it assumes some default ACL behavior but if you uncomment one thing, it only uses what is explicitly there.
Thanks again for the wonderful script!
Hi,
Can this script change password in other modules? Wemin, for example, allows users to change their password in ldap server and samba module.
Thanks,
Hi, I’m using Mac osx server version of openLDAP. I still cannot change the password and keep getting the result of “E200 – Your password cannot be change, please contact the administrator.”
Does it have to do with some authentication or what? Or something I need to setup in the server?
Thanks
You have to configure slapd to that it allows anonymous searching:
Check your slapd.conf for:
access to *
by dn=”cn=admin,dc=domain,dc=com” write
by * read
That last line is important.
No, this script is for LDAP only.
I am also getting error Error E100 – Wrong user. Running the code on a Ubuntu server, but authenticating with a windows server 2003 domain controller. Any ideas or suggestions?
Thanks in advance!
the script works perfectly.
I am also getting error Error E100 – Wrong user. I am running Active Directory 2003. I can bind to LDAP anonymously. I cannot figure out if I have the $dn variable set correctly. Any advice is greatly appreciated.