Search code examples
phparraysldapopenldapldap-query

How can I change username or email or phone number information in LDAP?

I have this script through which I can change my LDAP password but I also want to change my username or full name or email or phone number. How can I do that? When I echo out the records I only get info like my name and email but what do I need to do to make ldap_modify change my full name or phone number or email or userid?

<?php
$server = "ldap://ldap";
$dn = "ou=People,DC=ssdfg,DC=sadad,DC=com";
$message = array();

function changePassword($server,$dn,$user,$oldPassword,$newPassword,$newPasswordCnf){
  global $message;

  error_reporting(0);

  $con=ldap_connect($server);
  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);

  $findWhat = array ("cn","mail");
  $findWhere = $dn;
  $findFilter = "(uid=$user)";

  #bind anon and find user by uid
  $sr = ldap_search($con,$dn,$findFilter,$findWhat);
  $records = ldap_get_entries($con, $sr);
   echo "<pre>";print_r($records);
  /* error if found more than one user */
  if ($records["count"] != "1") {
    $message[] = "Error E100 - Wrong user.";
    return false; 
  }else {
    $message[] = "Found user <b>".$records[0]["cn"][0]."</b>";
  }

  /* try to bind as that user */
  if (ldap_bind($con, $records[0]["dn"], $oldPassword) === false) {
    $message[] = "Error E104 - Current password is wrong.";
    return false;
  }
  else { }

  if ($newPassword != $newPasswordCnf ) {
    $message[] = "Error E101 - New passwords do not match! ";
    return false;
  }
  if (strlen($newPassword) < 8 ) {
    $message[] = "Error E102 - Your new password is too short! ";
    return false;
  }
  if (!preg_match("/[0-9]/",$newPassword)) {
    $message[] = "Error E103 - Your password must contain at least one digit. ";
    return false;
  }
  if (!preg_match("/[a-zA-Z]/",$newPassword)) {
    $message[] = "Error E103 - Your password must contain at least one letter. ";
    return false;
  }


  /* change the password finally */
  $entry = array();
  $entry["userPassword"] = "{SHA}" . base64_encode( pack( "H*", sha1( $newPassword ) ) );
  if (ldap_modify($con,$records[0]["dn"],$entry) === false){
    $message[] = "E200 - Your password cannot be change, please contact the administrator.";
  }
  else { 
    $message[] = " Your password has been changed. "; 
    //mail($records[0]["mail"][0],"Password change notice : ".$user,"Your password has just been changed."); 
    } 
}  

?>
Solution

  • Attributes must be requested unless the ALL_ATTRIBUTES value is used, often this is an asterisk, but not always. The directory server must allow clients to retrieve values, and userPassword is often restricted to users with more privileges.

    To modify attribute values, construct a modify request with the distinguished name, attribute, and the new values.

    There are couple things of note:

    • The LDAP client should check for response controls when the server transmits a response to a request. Failure to check for response controls will result in the LDAP client possibly missing important information from the server
    • Why does this client base 64 encode the password? Directory server should never accept pre-encoded passwords (servers should be configured to reject pre-encoded passwords) because the server cannot execute password quality and history checks on pre-encoded passwords. For these and other reasons, transmitting pre-encoded passwords are a terrible idea, and all clients should reject this practice. LDAP clients must use a secure connection (SSL, TLS, or ipsec) and transmit passwords in the clear or use an external SASL bind request. For even better security use the password modify extended request which requires the existing password, and can generate a password for the user.
    • This client does not appear to be able to respond to an unsolicited notification from the server. Directory Servers may transmit an extended result that is unsolicited, that is, not in response to a client request. Clients must be able to handle these notifications which are often notifications that the server disconnected the client for whatever reason.

    For more information, please see "LDAP: Programming Practices".