Allow Users to modify password

2007-03-23
2013-05-20
  • Fallet Steve
    Fallet Steve
    2007-03-23

    Hello,

    I install ADLdap and all works, thanks for all !

    I made a php script to allow users to change our AD password, and I got this error message :

    "Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access"

    What can I do ?

    Thanks !

     
    • Todd Garrison
      Todd Garrison
      2007-04-17

      From the relevant MS knowledge base article: http://support.microsoft.com/kb/269190

      <snip>
      There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

      The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.
      </snip>

      ---

      Unfortunately, this class doesn't have the option to do the delete with the existing password.  So in order to perform this you need to bind with an administrator account, verify the user's password, and then perform the change.  I don't know how much I like leaving AD administrator passwords laying around in PHP scripts, actually--I don't like that idea at all!

      It would be hard to modify the class, I just don't have time to do it right now.  If I do, I will submit a patch to the owners . . .

      Good luck!

       
    • Todd Garrison
      Todd Garrison
      2007-04-17

      After further investigation it doesn't appear that PHP will allow this to happen (it is not adLDAP that lacks the functionality, it is PHP's ldap functions.)

      PHP lacks the ability to do a delete and add in the same operation in the method described by the MS article above.  So, you are stuck using an administrator to bind.

      Does any know if there are any attributes that we could set that allow an account to change passwords without having FULL domain administrator rights?

       
    • Wiggum
      Wiggum
      2007-05-10

      You have to record a domain admin password in the class to do most useful functions. I know it's not desirable, but you've gotta remember that you want your webserver to do just about anything (doesn't mean it'll do it). I have pretty strict security on the our document roots (specifically apache runs as the user "apache" with "chmod 500"), and I only use the class for intranet development.

       
    • thor918
      thor918
      2008-03-19

      yes it is possible to have the user change it's own password,
      however this require that the user have the "reset password"-right on the user object.
      default the user have the "change password"-right on itself.

      check premissions on the user, and look for SELF ;)

       
    • thor918
      thor918
      2008-03-23

      If anyone is interested, I made a workaround using python and python-ldap.
      This code does infact let a normal useracount credentials change the password on it self, without any changes to the account(like adding reset privildges).
      I used Linux as it's a no brainer to have python correct settuped with python-ldap modules.
      It should be possible to setup this on windows also.

      I hope you enjoy this code as I struggled a lot to get it working:
      http://home.no.net/thor918/sourceforge/python-ldap/adLDAP_2.1-extldap.py.zip

       
    • thor918
      thor918
      2008-03-23

      I just have to add that you better check if there are some domain security policys in effect. like I had one on that said that the password had to be at least 1 day old before one could change the password again.

      my python script could perhaps have some more exit codes on different failure scenarioes.
      but it should be sufficent as it is.

      I hope I can get some feedback as it is very nice to be urged to contribute.

      I like to thank Wiggum (dendiman) for this project, I have not made an app with it, but I'm just starting to getting to know it ;) by the way. is it possible to loop through users in a spesific ou?

       

  • Anonymous
    2012-01-06

    The previous link for a python solution doesn't work. Here's mine. It's just a simple, simple solution that should get the job done.

    https://gist.github.com/ad0a615cec792ffe4ade