PHP ldap_modify Insufficient access

Asked 25/10, 2012 at 22:3 Answered 22/4, 2016 at 9:34

I am getting insufficient access errors using ldap_modify with OpenLDAP 2.4.32 and PHP 5.4.6.

The php function that is giving the errors looks like this:

function set_user($dn, $password, $data)
{
  /* This function sets the users infomation */

  // Get Configuration Items
  $ldapServer = $this->config->item('ldapServer');
  $ldapDCRoot = $this->config->item('ldapDCRoot');


  // Connect to LDAP
  $ldapConnection = ldap_connect($ldapServer);

  if($ldapConnection)
  {
    $r = ldap_bind($ldapConnection, $dn, $password);
    if ($r)
    {
      // Bind completed successfully
      $r = ldap_modify($ldapConnection, $dn, $data);
      return True;
    }
    die("Unsuccessful Bind");
  }
  die("Can't connect to LDAP");
}

The $dn is the full DN of the user trying to change their information along with their password. And $data is the values that they are updating, right now data just contains the phone number to change $data['mobile'] = "newPhoneNumber". This all appears to be working except for the fact the the data is never actually written.

The openldap file is included below as you can see the ACL says that I should be able to write to it.

include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

access to *
    by self write
    by users read
    by anonymous auth


database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=manager,dc=example,dc=com"
rootpw          REDACTED

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

The question is why can't PHP update the value and instead is getting a insufficient access error?

Divisor answered 25/10, 2012 at 22:3 Comment(1)

Before your call to ldap_connect(), try ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); which will dump a bunch of debug output to the Apache global error log (it will not dump to a vhost-specific log, or to your error_log setting.) – Scopolamine 21/4, 2016 at 19:6

To debug your issue, I'd suggest using the command line tool ldapmodify to make the same request. You may need to install it to your system (Redhat openldap-clients, Debian slapd).

LDAP Utilities

By setting the debugging level -d you can hopefully get more information than what the php library is providing about why your call is returning the insufficient access error.

While I have never had to do this with ldapmodify, I have used it with ldapsearch with great success. So it may take some searching or ldapmodify --help to figure out how to use it.

I imagine the command would look something like this:

ldapmodify -d 7 -h ldap.server.com -D bind_dn -w bind_password -f /tmp/entrymods

Severally answered 21/4, 2016 at 18:3 Comment(0)

I struggled with a few things while changing Active Directory password. Maybe this will help others also:

1st: You will need a secure connection otherwise LDAP would refuse to change the password.

$this->ldap_ds = ldap_connect($this->hostname);
//some protocol options
ldap_set_option($this->ldap_ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($this->ldap_ds, LDAP_OPT_PROTOCOL_VERSION, 3);

// start secure connection on port 636
ldap_start_tls($this->ldap_ds);

2nd: On my system I had problems starting the secure connection, I solved this for now editing /etc/ldap/ldap.conf

# TLS_CACERT    /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never

3rd: For active directory we used the unicodePwd field instead of the userPassword field. This field requires a String in Unicode.

$entry["unicodePwd"] = iconv("UTF-8", "UTF-16LE", '"' . $newPassword . '"');

4th: For changing password you can't use modify instead you should use mod_replace function.

ldap_mod_replace($ldapConnection, $user_dn, $entry);

Inconvertible answered 22/4, 2016 at 9:34 Comment(0)

Recommended topics

Hot tags