Jump to content

Archived

This topic is now archived and is closed to further replies.

realjumper

LDAP allow users to change their password

Recommended Posts

Hi,

I am making good headway with LDAP, and now users can authenticate via a PHP form with no problem. What I would to do now, is to allow users to change their passwords. I give all new users a default password based on their first intial + last name, which is a pretty standard naming convention, but I want users to change their passwords if they want to. I can't find any documentation online as to how to go about this. Can anyone help please? Here is my login authentication script...

Thanks,
Neil

[code]

$username = $_POST['username'];
$passwd = $_POST['passwd'];
 
$ds=ldap_connect("xxx.xx.xxx.x");
if(!$ds)
{
print "Cannot authenticate at this time...please try again soon";
exit(0);
}

else
{
// print "<br>connected";

}
  $username = "$username";
  $upasswd = "$passwd";
  $base_dn = "cn=users, dc=directory,dc=123,dc=45,dc=67";
  $rdn = "uid=$username, " . $base_dn;
 
  ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
  $ldapbind = ldap_bind($ds, $rdn, $upasswd);


  if ($ldapbind)
      {
        print "<p style=\"margin-top:200px;text-align:center\">Authenticating.....</p>";

        setcookie ("username", "$username", time()+3600, "/");

        Header("Location: ../intranet/index.php?login=$username");

        }
        else{
     
                Header("Location: no_access.php");
              }

ldap_close($ds);    //close the ldap connection

[/code]

Share this post


Link to post
Share on other sites
If you are connecting to a MS ActiveDirectory controller and you are doing password resets, then the person changing the password must be an administrator for the domain.  If the user is changing their own AD (windows) login password, then they are able to change it by supplying their current password and their new password, however, there is no point in it since it's easier to do ctrl-alt-del and click "change password".

Anyway, did you try google?

http://www.google.com/search?hl=en&lr=&q=ldap+change+password+php&btnG=Search

Share this post


Link to post
Share on other sites
Hi.

It is actually Open Directory running on a MAC 10.4 machine...which is FreeBSD as far as I know. Seeing as the server is Unix, I would have thought that documentation for allowing users to change passwords woud have been all over google....but it seems not. I can't really understand this as it's good from a users standpoint to change their passwords from time to time.....and it's necessary as users may not like the default password they are given when they get an account on the network. I'm sure that this is possible.....I think Moodle allows this to happen, but that applications code is just sooo deeply buried that I can't understand what the hell is going on!!! LOL

Share this post


Link to post
Share on other sites
Here's a thread on OpenLDAP.org that deals with this issue.

http://www.openldap.org/lists/openldap-software/200212/msg00200.html

Happy reading ...  ;)

Share this post


Link to post
Share on other sites
Thanks...I was reading this yesterday and although it goes part of the way in explaining what's happening, it doesn't actually answer the question. That script connects to LDAP, which I can do already, but the bit in their code that says "Bind sucsessfully, code to change password".....*thats* the piece of code that I need, and need to understand....I don't know the code to change the password...and they don't mention it!!!

But many thanks :)

Share this post


Link to post
Share on other sites
I think you're looking for:

[code=php:0]
ldap_modify($ds, $dn, $new);
[/code]

;)

Share this post


Link to post
Share on other sites
Yup, I'm looking at that right now on php.net. It seems to be saying that only an administrator can modify passowrds, but don't quote me on that as I am going to try it shortly ;)

Share this post


Link to post
Share on other sites
Hmmm......I have tried this......but...

[code]

$username = justme;
$passwd = abcdefg;
 
$ds=ldap_connect("xxx.xx.xxx.x");
if(!$ds)
{
print "Cannot authenticate at this time...please try again soon";
exit(0);
}

else
{
print "<br>connected";

}
   $username = "$username";
   $upasswd = "$passwd";
   $base_dn = "cn=users, dc=directory,dc=xxx,dc=xx,dc=xx";
   $rdn = "uid=$username, " . $base_dn;
   
   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);


   if ($ldapbind)
       {
  echo "<p>Bound!</p><p>";
  $newPassword = "skydive";
$userdata = $newPassword;
$result = ldap_modify($ds, $rdn, $userdata);
if ($result) echo "User modified!" ;
else echo "There was a problem!";

    }
   else{
print "<p style=\"margin-top:200px;text-align:center\">Not Authenticating</p>";       
       

}

ldap_close($ds);    //close the ldap connection

[/code]

...the result it this....

connected
Bound!

There was a problem!

So, even though I hard coded the current username and password, and I hard coded the new password, nothing changed. Obviously I have connected and bound to LDAP, but I (still) can't update the password!!

Woe is me!

Share this post


Link to post
Share on other sites
Okay... here is my latest attempt. I am trying really hard to find the solution to this problem and I'm sure that someone here must be able help me as this just can't be a problem that is unique to me seeing as LDAP use is widespread. Please, help me if you can. Thanks.

[code]

$username = justme;
$passwd = testpass;
 
$ds=ldap_connect("xxx.xx.xxx.x");
if(!$ds)
{
print "Cannot authenticate at this time...please try again soon";
exit(0);
}

else
{
print "<br>connected";


   $newpass = "skydive";
   $username = "$username";
   $base_dn = "cn=users, dc=directory,dc=xxx,dc=xx,dc=xx";
   $rdn = "uid=$username, " . $base_dn;
   
   ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   $ldapbind = ldap_bind($ds, $rdn, $upasswd);

   if ($ldapbind)
       {
    echo "<p>Bind successful";

if(ldap_modify($ds, $rdn, $newpass))
{
echo "<p>The entry was modified successfully";
}
else {
     echo "<p>The entry couldnt be modified";
     }

       } //end of bind if condition
    } //end of connect if condition

[/code]

The result from running this code:

connected

Bind successful

The entry couldnt be modified

???

Share this post


Link to post
Share on other sites
I'm not sure if you administer the LDAP servers, but is it possible that you're connecting to a read-only LDAP server rather than one that is not?

Share this post


Link to post
Share on other sites
Hi,

Thanks for the reply....especially as I still haven't resolved this problem.The LDAP server, that is in my office, is set up so that users, once authenticated have the privilige to change their own password only. If they connect to the server via the gui on their workstations then they can change their passowords, no problem. However, staff have their own workstations but students do not. We have some 6oo students who use the lab machines of which there are about 60, or else their own laptops which connect to the network via radio link. We are wanting to open the Intranet server (which authenticates users via the LDAP server) so that access from outside campus is available, and therefore we also want to allow users to change their LDAP passwords via PHP which is more or less essential from an extra mural students standpoint. I know this is possible, but other than what I have tried I have run out of ideas as there seems to be no PHP documentaion available on the whole Internet!!!! :)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.