Skip to content

Instantly share code, notes, and snippets.

@jackhftang jackhftang/index.php
Last active Sep 26, 2019

Embed
What would you like to do?
LDAP PHP Change Password Page (modified). Original can be found at https://gist.github.com/mattrude/657334
<?php
/**
* LDAP PHP Change Password Webpage
*
* Copyright (C) 2010 Matt Rude <http://mattrude.com>
* Copyright (C) 2019 Jack Tang <me@jackhftang.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
$message = array();
function changePassword($user, $oldPassword, $newPassword, $newPasswordCnf)
{
global $message;
$server = '127.0.0.1';
# base DN for all users
$dn = 'ou=users,dc=example,dc=com';
# bind DN for search users, need to have `read` permission on attributes: uid, mail, pwdaccountlockedtime
$bindDn = 'uid=readonly,dc=example,dc=com';
$bindDnPwd = 'secret';
error_reporting(0);
$con = ldap_connect($server);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind rdn and find user by uid
if (ldap_bind($con, $bindDn, $bindDnPwd) === false) {
$message[] = "Error E201 - Unable to connect to server, you may not change your password at this time, sorry.";
return false;
}
$userSearch = ldap_search($con, $dn, "(|(uid=$user)(mail=$user))");
$userGet = ldap_get_entries($con, $userSearch);
if (!$userGet) {
$message[] = "Error E202 - Unable to connect to server, you may not change your password at this time, sorry.";
return false;
}
// find the first match and search again
$userEntry = ldap_first_entry($con, $userSearch);
$userDn = ldap_get_dn($con, $userEntry);
$userId = $userGet[0]["uid"][0];
$userSearchArray = array("pwdaccountlockedtime");
$userSearchFilter = "(|(uid=$userId)(mail=$user))";
$userSearchOpt = ldap_search($con, $userDn, $userSearchFilter, $userSearchArray);
$userGetOpt = ldap_get_entries($con, $userSearchOpt);
$pwdAccountLockedTime = $userGetOpt[0]["pwdaccountlockedtime"][0];
// Start the testing
if ($pwdAccountLockedTime) {
$message[] = "Error E101 - Your Account is Locked Out!!! Please contact the administrator to unlock.";
return false;
}
if (ldap_bind($con, $userDn, $oldPassword) === false) {
$message[] = "Error E101 - Current Username or Password is wrong.";
return false;
}
if ($newPassword != $newPasswordCnf) {
$message[] = "Error E102 - Your New passwords do not match!";
return false;
}
$encoded_newPassword = "{SHA}" . base64_encode(pack("H*", sha1($newPassword)));
if (strlen($newPassword) < 8) {
$message[] = "Error E103 - Your new password is too short.<br/>Your password must be at least 8 characters long.";
return false;
}
if (!preg_match("/[0-9]/", $newPassword)) {
$message[] = "Error E104 - Your new password must contain at least one number.";
return false;
}
if (!preg_match("/[a-zA-Z]/", $newPassword)) {
$message[] = "Error E105 - Your new password must contain at least one letter.";
return false;
}
if (!preg_match("/[A-Z]/", $newPassword)) {
$message[] = "Error E106 - Your new password must contain at least one uppercase letter.";
return false;
}
if (!preg_match("/[a-z]/", $newPassword)) {
$message[] = "Error E107 - Your new password must contain at least one lowercase letter.";
return false;
}
// And Finally, Change the password
$entry = array();
$entry["userPassword"] = "$encoded_newPassword";
if (ldap_modify($con, $userDn, $entry)) {
$message[] = "The password for $userId has been changed.<br/>Your new password is now fully Active.";
} else {
$error = ldap_error($con);
$errno = ldap_errno($con);
$message[] = "E201 - Your password cannot be change, please contact the administrator.";
$message[] = "$errno - $error";
$message[] = "Your password was not changed.";
}
return true;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Password Change Page</title>
<style type="text/css">
body {
font-family: Verdana, Arial, Courier New, serif;
font-size: 0.7em;
}
th {
text-align: right;
padding: 0.8em;
}
#container {
text-align: center;
width: 500px;
margin: 5% auto;
}
.msg_yes {
text-align: center;
color: green;
background: #D4EAD4;
border: 1px solid green;
border-radius: 10px;
margin: 2px;
}
.msg_no {
text-align: center;
color: red;
background: #FFF0F0;
border: 1px solid red;
border-radius: 10px;
margin: 2px;
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<div id="container">
<h2>Password Change Page</h2>
<p>
Your new password must be 8 characters long or longer and have at least:<br/>
one capital letter, one lowercase letter, &amp; one number.<br/>
You must use a new password, your current password<br/>
can not be the same as your new password.
</p>
<?php
if (isset($_POST["submitted"])) {
$ok = changePassword($_POST['username'], $_POST['oldPassword'], $_POST['newPassword1'], $_POST['newPassword2']);
if ($ok) {
echo '<div class="msg_yes">';
} else {
echo '<div class="msg_no">';
}
foreach ($message as $msg) {
echo "<p>$msg</p>";
}
echo '</div>';
}
?>
<form method="POST" action="/">
<table style="width: 400px; margin: 0 auto;">
<tr>
<th><label for="username"> Username or Email Address:</label></th>
<td><input id="username" name="username" type="text" size="20px"/></td>
</tr>
<tr>
<th><label for="oldPassword">Current password:</label></th>
<td><input id="oldPassword" name="oldPassword" size="20px" type="password"/></td>
</tr>
<tr>
<th><label for="newPassword1">New password:</label></th>
<td><input id="newPassword1" name="newPassword1" size="20px" type="password"/></td>
</tr>
<tr>
<th><label for="newPassword2">New password (again):</label></th>
<td><input id="newPassword2" name="newPassword2" size="20px" type="password"/></td>
</tr>
<tr>
<td colspan="2" style="text-align: center;">
<input name="submitted" type="submit" value="Change Password"/>
<button onclick="location.reload()">Cancel</button>
</td>
</tr>
</table>
</form>
</div>
</body>
</html>
@JaymarkCruz

This comment has been minimized.

Copy link

JaymarkCruz commented Sep 26, 2019

i follow all the codes above and i'm getting "E201 - Your password cannot be change, please contact the administrator.
19 - Constraint violation"

Please help :D

@jackhftang

This comment has been minimized.

Copy link
Owner Author

jackhftang commented Sep 26, 2019

It is likely that your setting of these two variables are wrong.
$bindDn = 'uid=readonly,dc=example,dc=com';
$bindDnPwd = 'secret';

@JaymarkCruz

This comment has been minimized.

Copy link

JaymarkCruz commented Sep 26, 2019

i'm pretty sure it correct, i use it also in my log-in function and bind works properly.

@jackhftang

This comment has been minimized.

Copy link
Owner Author

jackhftang commented Sep 26, 2019

ldap_bind is native php function. There is not much custom logic here. One thing to note is that it is by default connected to port 389 (ldap, not ldaps). if $server is also also correct, then I would guess it is something else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.