[Jesperdb]

Our setup is as listed below

PfSense Firewall with a captive portal
Server 2008 running AD for users to authenticate with Radius through the Captive Portal.
Another server running IIS Web Server with PHP 5.3.

Our goal is to make a PHP script that allows people to change their password first time they logon, as the captiveportal does not
support the "Users must change password at first logon" option.

we got a PHP script already, but we are stuck at the ldap_modify action for the password.

Any help is appreciated.

Code looks like this:
----------------------------------------------------

PHP Code:

<?php
$message = array();             

function changePassword($user,$oldPassword,$newPassword,$newPasswordCnf){
  global $message;

$server = "dc01.615sqn.dk";
$dn = "dc=615sqn,dc=dk";
  
$user = $user . "@615SQN.DK";

  error_reporting(0);
ldap_connect($server);
$con=ldap_connect($server);
  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);


 // $findWhat = array("sAMAccountName", "cn");
 // $findWhere = $dn;
 // $findFilter = "(|(cn=$user*))";

  #bind anon and find user by uid
  $sr = ldap_search($con,$dn,"(uid=*)");
  $records = ldap_get_entries($con, $sr);

$message[] = "User: " .$user;
$message[] = "Pass: " . $oldPassword;
$message[] = "nPass: " .$newPassword;

  // echo "<pre>";print_r($records);
  /* error if found more than one user */
 /*
 if ($records["count"] != "1") {
    $message[] = "Brugere fundet:" . $records["count"];
    $message[] = "Error E100 - Wrong user.";
    return false; 
  }else {
    $message[] = "Found user <b>".$records[0]["cn"][0]."</b>.";
  }
*/

  /* try to bind as that user */
//  if (ldap_bind($con, $records[0]["dn"], $oldPassword) === false) {
  if (ldap_bind($con, $user, $oldPassword) === false) {
    $message[] = "Error E104 - Current password is wrong.";
    return false;
  }
  else { }
  
  if ($newPassword != $newPasswordCnf ) {
    $message[] = "Error E101 - New passwords do not match! ";
    return false;
  }
  if (strlen($newPassword) < 8 ) {
    $message[] = "Error E102 - Your new password is too short! ";
    return false;
  }
  if (!preg_match("/[0-9]/",$newPassword)) {
    $message[] = "Error E103 - Your password must contain at least one digit. ";
    return false;
  }
  if (!preg_match("/[a-zA-Z]/",$newPassword)) {
    $message[] = "Error E103 - Your password must contain at least one letter. ";
    return false;
  }


  /* change the password finally */
  $entry = array();
  $entry["userPassword"] = "{SHA}" . base64_encode( pack( "H*", sha1( $newPassword ) ) );
  
  if (ldap_modify($con,$user,$entry) === false){
    $message[] = "E200 - Your password cannot be change, please contact the administrator.";
  }
  else { 
    $message[] = " Your password has been changed. "; 
    //mail($records[0]["mail"][0],"Password change notice : ".$user,"Your password has just been changed."); 
    } 

}  

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
 <title>Ændring af password</title>
 <style type="text/css">
 body { font-family: Verdana,Arial,Courier New; font-size: 0.7em;  }
 input:focus { background-color: #eee; border-color: red; }
 th { text-align: right; padding: 0.8em; }
 #container { text-align: center; width: 500px; margin: 5% auto; } 
 ul { text-align: left; list-style-type: square; } 
 .msg { margin: 0 auto; text-align: center; color: navy;  border-top: 1px solid red;  border-bottom: 1px solid red;  } 
 </style>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<div id="container">
<h2> Ændring af password </h2>
<ul>
</ul>
<form action="<?php print $_SERVER['PHP_SELF']; ?>" name="passwordChange" method="post">
  <table style="width: 400px; margin: 0 auto;">
    <tr><th>MA nr:</th><td><input name="username" type="text" size="20" autocomplete="off" /></td></tr>
    <tr><th>Gammelt password:</th><td><input name="oldPassword" size="20" type="password" /></td></tr>
    <tr><th>Nyt password:</th><td><input name="newPassword1" size="20" type="password" /></td></tr>
    <tr><th>Nyt password (Bekræft):</th><td><input name="newPassword2" size="20" type="password" /></td></tr>
    <tr><td colspan="2" style="text-align: center;" >
        <input name="submitted" type="submit" value="OK"/></td></tr>
  </table>
</form>
<div class="msg">
<?php 
if (isset($_POST["submitted"])) {
  changePassword($_POST['username'],$_POST['oldPassword'],$_POST['newPassword1'],$_POST['newPassword2']);
  foreach ( $message as $one ) { echo "<p>$one</p>"; }
} 
?>
</div>
</div>
</body></html>

------------------------------------------------------

[scott2500uk]

I've done a bit of work with AD and PHP and when working with them I always stayed away from changing user passwords cos I was under the impression that you had to use LDAPS rather than LDAP for AD to accept a password change via LDAP_modify. Dont take my word on this as I might be wrong.

But if LDAPS is required then you need PHP compiled with SSL support and then u have all the trouble of that... Then I'm not sure if you have to create the certificate from the AD server too.

But if you need help changing AD values other than the password I might be able to help. Remember by default a user doesnt have permission to change their own personal details in AD so many things cannot be modified by their own user credentials. You will need to modify AD permssions to give user access to modify their SELF details.