I had to give up on PHP and go to Perl, but it turned out not to be so bad. Users can now change their Active Directory passwords via a self-service web page that doesn’t require admin credentials. The Perl code is below. Authentication to the script is done via .htaccess LDAP authentication, so the REMOTE_USER env variable is assumed to contain the user’s username (sAMAccountName) by the time this script is called. There is a simple check for $ENV{HTTPS} to ensure the script is called via SSL, and AD requires password changes to be done via ldaps, so the whole thing should be encrypted end to end.
(Edited 5/14/2010 to replace the inlined Perl script with a link to the script as a text file.)
#1 by Jason Fried on March 30, 2010 - 14:05:33
Instead of using charmap. you can convert the password to UTF16 Little Endian in a simple fashion using just Unicode::String
my $UTF16pass = Unicode::String::utf8(“\”$password\”")->utf16le();
Which makes more sense than byte swap.
Does the modify method work for password reset?
I found that i had to use an admin account with replace to get it to work. And most sites I saw said the modify method was broken with Active Directory.
#2 by evan on March 30, 2010 - 14:54:53
Actually, I tried a bunch of different things and some of them worked “halfway.” I sent raw LDIF records directly to the AD server and that worked, so I assumed there had to be some way to do it via code, even if it came down to opening a raw socket. The Perl script I have in use does work though, with the “modify” command. I think as long as the delete/add takes place in a single transaction (and you provide the old password) it does work. The problem with PHP, iirc, was that it implemented the delete/add as two separate operations.