PHP - LDAP change user passwords in Active Directory without using administrator account

Question

I'm building an application authenticating against MS Active Directory using LDAP. We have a password policy where user passwords expire.

How can I set a user password without using an AD-administrator through ldap in PHP?

I've seen many approaches but all of them use an administrator account which is from my point of view a security risk.

Answer 1

The documentation for the unicodePwd attribute describes two ways to change a password:

1. Sending a "delete" and an "add" operation in the same LDAP request. This uses the old password as the authorization to change the password. This is what a user would normally do themselves if they did Ctrl+Alt+Del -> Change password in Windows.
2. Sending a "replace" operation, which is the same as an administrator resetting the password. This requires that you already authenticated with an account that has permission to reset the password.

If I understand you correctly, you want to avoid option 2. So the trick will be to send an "add" and "delete" request in the same request. To do that, you can use ldap_modify_batch . In fact, there is an example of it on the documentation page itself:

<?php
function adifyPw($pw)
{
    return iconv("UTF-8", "UTF-16LE", '"' . $pw . '"');
}

$dn = "cn=Jack Smith-Jones,ou=Wizards,dc=ad,dc=example,dc=com";
$modifs = [
    [
        "attrib"  => "unicodePwd",
        "modtype" => LDAP_MODIFY_BATCH_REMOVE,
        "values"  => [adifyPw("Tr0ub4dor&3")],
    ],
    [
        "attrib"  => "unicodePwd",
        "modtype" => LDAP_MODIFY_BATCH_ADD,
        "values"  => [adifyPw("correct horse battery staple")],
    ],
];
ldap_modify_batch($connection, $dn, $modifs);

Note that you may have to connect over a secure connection (LDAPS, usually on port 636) for AD to allow this.