LDAP CHANGE PASSWORD PHP

Question

I want to change user's password [unicodePwd] on Windows Active Directory using PHP LDAP.

I am using Windows Active Directory via PHP LDAP.

I don't have any issues connection to it.

I don't have any issues collecting data.

I don't have any issues changing attributes using ldap_mod_replace or ldap_modify

except for the "unicodePwd".

*note that this works

$user['telephonenumber'] = '1234567890';

*note that this does'nt work

$user['unicodePwd'] = mb_convert_encoding('my_new_password', "UTF-16LE");

// CODE

$result = ldap_modify($ldap, $dn, $user);
return ldap_error($ldap);

// CODE

// ERROR ON CHANGING unicodePwd

ldap_modify(): Modify: Server is unwilling to perform

// NO ERROR FOR telephonenumber

• 06/11/2018 Problem,

I can't setup my server to have ldap over ssl. Already tried installing AD CS, nothing worked so far. Still configuring my server any idea about installing CA(Certificate Authority) to be used in LDAP over SSL?

• 06/20/2018 Problem, NEW PROBLEM

Already setup LDAP OVER SSL, i can also use ldap using the

cmd->ldp; port 389, and 636 with ssl is good.

but when i run it in my php using port 636 or ldaps://servername this is the error,

ldap_bind(): Unable to bind to server: Can't contact LDAP server

Answer 1

You need to be on a secured connection to modify a password (and probably other security related options).

Add the following before you call ldap_bind() :

ldap_start_tls($ldap);

This is a good idea even if you aren't trying to change a password as otherwise your bind operation is cleartext and can be sniffed.

---

If you see this error:

Warning: ldap_start_tls(): Unable to start TLS: Connect error in ...

You can workaround the issue by adding the following line before you call ldap_connect :

putenv('LDAPTLS_REQCERT=never');

WARNING : This disables checking the validity of the LDAP server certificate! Ideally you should add the server certificate (or its signing CA) to your trusted store.