I have this method to change AD user password :
public function changePassword($ldapUserIdentifier, $oldPassword, $newPassword): string
{
try {
$this->ldap->bind("DOMAIN\\".$ldapUserIdentifier, $oldPassword);
$query = $this->ldap->query('dc=domain,dc=com', '(&(sAMAccountName=' . $ldapUserIdentifier . '))');
$result = $query->execute();
$entry = $result[0];
$newPassword = mb_convert_encoding('"' . $newPassword . '"', 'utf-16le');
$entryManager = $this->ldap->getEntryManager();
$entryManager->applyOperations($entry->getDn(), [
new UpdateOperation(LDAP_MODIFY_BATCH_REPLACE, 'unicodePwd', [$newPassword])
]);
dd("wait");
} catch (\Throwable $th)
{dd($th);
return $th->getMessage();
}
Works great but the script doesnt care about AD constraint. My Active Directory constraint is :
But my code dont respect this constraint.
I want respect AD constraint
After many days, i solved the problem.
In this case :
$entryManager->applyOperations($entry->getDn(), [
new UpdateOperation(LDAP_MODIFY_BATCH_REPLACE, 'unicodePwd', [$newPassword])
]);
Active Directory thinks he needs to reset the password and need an admin account.
In this case :
$entryManager->applyOperations($entry->getDn(), [
new UpdateOperation(LDAP_MODIFY_BATCH_REMOVE, 'unicodePwd', [$oldPassword]),
new UpdateOperation(LDAP_MODIFY_BATCH_ADD, 'unicodePwd', [$newPassword])
]);
Active Directory thinks he needs to CHANGE the password and dont need an admin account.
or here :