As I know, in PHP, we need to connect LDAP over SSL in order to change the user password.
Is there another way, E.G, other languages (JAVA / ASP) to change the LDAP password without SSL required?
Updates:
I get Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access" when I try to modify my account password.
If I try to change other user passwords, I get no error message, but the password still sticks to the old one.
Many LDAP implementations do indeed require SSL or TLS in order to change/set passwords. This is a requirement set by the LDAP server, not the language used to access it. Changing languages will not permit you to override this particular server requirement.
I understand that there are extenuating circumstances where you may not be able to establish a SSL/TLS connection, but in general, you absolutely want to be encrypting password functions like this - even if the server doesn't require it.
Edit: I bet the answer can be founds in the slapd logs. Also worth reviewing the ACLs: OpenLDAP Software 2.4 Administrator's Guide, Section 8. Access Control.
The directory stores password values in the userPassword attribute of the user entry. Depending on the access control settings for the server, users may set the value of userPassword in accordance with the password policy you specify, using standard tools, such as ldapmodify for example.
ldapmodify -h host -p port -D "cn=Directory Manager" -w password dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: userPassword userPassword: ChAnGeMe
There is the ldappasswd utility. e.g.
ldappasswd -H ldap://ldap.example.com:389 -D "uid=account-name,ou=serviceaccounts,dc=example,dc=com" -S -W -ZZ
If referral is returned, then you need to try that server instead. Usually when there is one master server and multiple read-only servers.
Are you using OpenLDAP or Active Directory? Both of them needs a secure connection to let you change your password.
You can't change your Active Directory password with PHP using ldap_mod_replace, you must use ldap_modify_batch if you are not an administrator.
Take a look: https://msdn.microsoft.com/en-us/library/cc223248.aspx
If you use replace (you doesn't send your old password) only administrators can change passwords. But if you use a batch with a delete (with your old password) and an add (with new one), then a user could change his/her own password: http://php.net/ldap-modify-batch
ldap_mod_replace (or ldap_modify_batch with LDAP_MODIFY_BATCH_REPLACE) leads to a password reset operation, while using ldap_modify_batch with a ..._REMOVE and an ..._ADD is a password change operation. The major difference is that a reset operation makes it impossible to access previously encrypted files (because they are encrypted with the old password), while a change operation doesn't suffer from this limitation (because the files are decrypted with the old and re-encrypted with the new password). –
Winonawinonah Actually, you can do this in PHP, without an SSL / TLS connection using PHPs COM extension (however using COM means you're required to use a Windows OS for your application).
Using COM also by-passes your AD server's password policy complexity requirements (not sure why).
$dn = 'cn=John Doe,dc=acme,dc=org';
$ldap = new COM('LDAP:');
$user = $ldap->OpenDSObject('LDAP://ACME-DC01.corp.acme.org/'.$dn, 'admin-username', 'admin-password', 1);
$user->SetPassword('NewPassword');
$user->SetInfo(); // Saved
Changing a User’s Password Using the RootDN Bind
ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"
© 2022 - 2025 — McMap. All rights reserved.