How to modify Active Directory passwords through PHP

The secret is keep in Active Directory on a user object within the unicodePwd attribute. This attribute is written under some restricted conditions, however it can’t be accessible, but the value of this attribute can be modify or alter.
In order to alter this attribute, you must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:

  • The password is at least six characters long.
  • The password contains characters from at least three of the following five categories:
    • English uppercase characters (A – Z)
    • English lowercase characters (a – z)
    • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: !, $, #, or %)
    • Unicode characters
  • The password does not contain three or more characters from the user’s account name.

PHP code as follows:
function create_ldap_connection() {
$ip = "Ad server IP";
$ldaps_url = "ldaps://$ip";
$port = 636;

$ldap_conn = ldap_connect( $ldaps_url, $port ) or die("Sorry! Could not connect to LDAP server ($ip)");

ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);

$username = "AdminUserName";
$password = "AdminPassword";
$binddn = "CN=Administrator,CN=Users,DC=TestDomain,DC=local";

$result = ldap_bind( $ldap_conn, $binddn, $password ) or die("
Error: Couldn't bind to server using provided credentials!");

if($result) {
return $ldap_conn;
} else {
die("
Error: Couldn't bind to server with supplied credentials!");
}
}

function get_user_dn( $ldap_conn, $user_name ) {
/* Write the below details as per your AD setting */
$basedn = "DC=AD Test,DC=Local";
/* Search the user details in AD server */
$searchResults = ldap_search( $ldap_conn, $basedn, $user_name );
if ( !is_resource( $searchResults ) )
die('Error in search results.');

/* Get the first entry from the searched result */
$entry = ldap_first_entry( $ldap_conn, $searchResults );
return ldap_get_dn( $ldap_conn, $entry );
}

function pwd_encryption( $newPassword ) {
$newPassword = "\"" . $newPassword . "\"";
$len = strlen( $newPassword );
$newPassw = "";
for ( $i = 0; $i < $len; $i++ ){
$newPassw .= "{$newPassword{$i}}\000";
}
$userdata["unicodePwd"] = $newPassw;
return $userdata;
}

$user_name = "(sAMAccountName=UserName of user whose password want to change)";//Dont remove parentheses brackets
$user_password = "New Password";

$ldap_conn = create_ldap_connection();
$userDn = get_user_dn($ldap_conn, $user_name);
$userdata = pwd_encryption($user_password);

$result = ldap_mod_replace($ldap_conn, $userDn , $userdata);
/* Check whether the password updated successfully or not. */
if ( $result )
die("Password changed successfully!");
else
die("Error: Please try again later!");

2 thoughts on “How to modify Active Directory passwords through PHP

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>