The ldap_modify command seems to be missing something?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Hi everyone,

While playing around with PHP, Squirrelmail, an Active Directory and
other assorted toys I ran into a strange limitation of the PHP
ldap_modify command.

In general, an ldap_modify should allow you to add values to an
attribute, delete selected values for an attribute, and replace all
values for an attribute. These are the three operations that are part of
what ldap_modify can do, outside PHP.

Imagine I have an LDIF like this:

dn: cn=test,cn=users,dc=test,dc=local
changetype: modify
delete: unicodePwd
add: unicodePwd
unicodePwd:: IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=

The above LDIF statement allows a 'mere' user to change his/her password
on a Windows Active Directory (W2k/W2k3) server [1]. The advantage to
this method is that the software in question would not need to know the
Administrator password at all to allow a user to change their password.

The idea is, you have to -delete- the old password entry to prove that
you actually know it, and then add a new one. The unicodePwd field is
write-only, you can never retrieve it's current value. By the way, these
values are BER-encoded WCHARS (16-byte characters).

In PHP, I can't seem to find a way to do this operation in a single LDAP
transaction. Doing it in two transactions won't work, and passing an
'empty' unicodePwd to get the old value deleted is not enough to satisfy
the Active Directory server, either. It seems like PHP does not have a
proper ldap_modify function. Compare e.g. the Perl::Ldap ldap_modify [2]
function, that allows you to specify exactly which attributes to add,
delete or replace.

Can anyone help me with applying the above LDIF from within PHP, or do
we need to extend/fix the ldap_modify command?

Regards, Paul Boven.


Site Timeline