使用 PHP 在 Active Directory 中更改密码时出错

Question

Hello good afternoon search on the internet how to change a user's password in Active Directory using PHP, I found the following code modifying only the accesses, but it is marking an error in the function ldap_mod_replace().

Could you help me fix the error?

I share my code

PHP Code

<?php

  $user_name = "(sAMAccountName=Write UserName of user whose password wants to change)"; //Dont remove parentheses brackets 
  $user_password = "NewPassword117";   

  $ldap_conn = create_ldap_connection(); 
  $userDn = get_user_dn($ldap_conn, $user_name);
  $userdata = pwd_encryption ($user_password);  
  $result = ldap_mod_replace($ldap_conn, $userDn , $userdata);  
  /* Check whether the password updated successfully or not. */ 
  if ($result)  
    die("Password changed successfully!");  
  else  
    die("Error: Please try again later!");

  function create_ldap_connection(){ 
    $ldaps_url = "MyIP"; // Example 192.168.100.1 
    $ldap_conn = ldap_connect($ldaps_url) or die("Sorry! Could not connect to LDAP server ($ip)");
    ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);  

    $password = "MyPassword";
    $binddn = "MyUser";
    $result = ldap_bind($ldap_conn, $binddn, $password) or die("Error: Couldn't bind to server using provided credentials!");

    if($result) {
      return $ldap_conn; 
    } else {
      die (" Error: Couldn't bind to server with supplied credentials!");
    }
  }  

  function get_user_dn($ldap_conn, $user_name) {  
    /* Write the below details as per your AD setting */  
    $basedn = "DC=AD Test,DC=Local";  
    /* Search the user details in AD server */  
    $searchResults = ldap_search( $ldap_conn, $basedn, $user_name );  

    if ( !is_resource( $searchResults ) )  die('Error in search results.');
    /* Get the first entry from the searched result */  
    $entry = ldap_first_entry( $ldap_conn, $searchResults ); 
    return ldap_get_dn( $ldap_conn, $entry ); 
  }

  function pwd_encryption( $newPassword ) {  
    $newPassword = "\"" . $newPassword . "\"";
    $len = strlen( $newPassword ); 
    $newPassw = "";
    for ( $i = 0; $i < $len; $i++ ) {
      $newPassw .= "{$newPassword {$i}}\000"; 
    }

    $userdata["unicodePwd"] = $newPassw;  return $userdata; 
  }


?>

Error

Answer 1

"Unwilling to perform" means "I can't do what you're asking me to do". It always means you've done something wrong. It could be a couple things in this case.

To be able to change the password, the connection has to be secure, which can be done with LDAPS (LDAP over SSL). I do see an s in $ldaps_url , but your example beside it of using an IP address wouldn't work. First, it must be preceded by ldaps:// , but also an IP address just doesn't work for SSL. The domain name you use to connect must match a domain name on the SSL certificate that the server sends you, and certificates don't have IP addresses.

So that line should look something like this:

$ldaps_url = "ldaps://example.com";

Or it could be the format of the password too. It seems like you took some code from the comments in the ldap_mod_replace() documentation for formatting the password, but I think there's a far more simple example in the documentation for ldap_modify_batch() :

function adifyPw($pw)
{
    return iconv("UTF-8", "UTF-16LE", '"' . $pw . '"');
}

That means you could change your pwd_encryption function to this:

function pwd_encryption( $newPassword ) {  
    $userdata["unicodePwd"] = iconv("UTF-8", "UTF-16LE", '"' . $newPassword . '"');
    return $userdata; 
}