Results 1 to 2 of 2

Thread: OpenLDAP user - edit details and/or password

  1. #1

    Question OpenLDAP user - edit details and/or password

    Hello,

    I have an OpenSuSe 11.0 running openldap (managed by yast) for user authentication on some services.

    Is there an easy way that I can provide for users to change their own passwords (Preferably a web interface)?

    Thanks

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: OpenLDAP user - edit details and/or password

    Here's a changepw.php script I wrote a while back which uses the LDAP API to change the password. You may not need the Samba stuff so you can remove that. Feel free to do what you want with it:

    Code:
    <?php                            
    
    // Generate a salted SHA1 pw.
    function ldap_ssha_passwd($clear_pw, $salt) {
            if (!isset($salt)){                  
                    // set seed for the random number generator
                    mt_srand((double)microtime()*1000000);     
                    $salt = substr(md5(mt_rand()), 4, 8);      
            }                                                  
            if(function_exists('sha1')) {                      
                    $hash = pack("H*",sha1($clear_pw . $salt));
            } else if (function_exists('mHash')) {             
                    $hash = mHash(MHASH_SHA1, $clear_pw . $salt);
            } else {                                             
                    echo "Error: You will need php >= 4.3.0 or php compiled with MHASH if you are going to use SHA or SSHA passwords.";       
                    exit();                                              
            }                                                            
            return base64_encode($hash . $salt);                         
    }                                                                    
    
    // basic sequence with LDAP is connect, bind, search, interpret search                                                                    
    // result, close connection                                          
    function ldapsearch () {                                             
            $ds = ldap_connect('ldap');  // must be a valid LDAP server! 
            if (!$ds) {                                                  
                    echo 'Cannot connect to LDAP server<br>';            
                    echo "<a href='$self'>Try again</a>";                
                    return;                                              
            }                                                            
            ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);          
            // remove the part after @                                   
            $login = explode('@', trim($_POST['login']), 2);             
            $l = $login[0];                                              
            $p = trim($_POST['password']);                               
            $r = ldap_bind($ds, "cn=$l,ou=People,dc=example,dc=com", $p);
            if (!$r) {                                                   
                    // Don't let on authentication failed                
                    echo 'Error changing entry<br>';                     
                    echo "<a href='$self'>Try again</a>";                
                    ldap_close($ds);                                     
                    return;                                              
            }                                                            
            $sr = ldap_search($ds, 'ou=People,dc=example,dc=com', "(cn=$l)");                                                                 
            if (!$sr || ldap_count_entries($ds, $sr) != 1) {             
                    // Don't let on entry not found                      
                    echo 'Error changing entry<br>';                     
                    echo "<a href='$self'>Try again</a>";                
                    ldap_close($ds);                                     
                    return;                                              
            }                                                            
            $info = ldap_get_entries($ds, $sr);                          
            $dn = $info[0]['dn'];                                        
            $p = trim($_POST['password1']);                              
    //      echo 'Data for ' . $info['count'] . ' items returned:<p>';   
    //      for ($i = 0; $i < $info['count']; $i++) {                    
    //              echo 'dn is: ' . $info[$i]['dn'] . '<br />';         
    //              echo 'first cn entry is: ' . $info[$i]['cn'][0] . '<br />';                                                               
    //              echo 'first email entry is: ' . $info[$i]['mail'][0] . '<br /><hr />';                                                    
    //      }                                                            
            $newinfo = array();                                          
            $salt = '';                                                  
            $chars = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';                                                      
            for ($i = 0; $i < 16; $i++) {                                
                    @ $salt .= $chars[mt_rand(0,strlen($chars))];        
            }                                                            
            $salt = '$1$' . $salt;                                       
            @ $cpass = '{CRYPT}' . crypt($p,substr($salt,0,12));         
            // create Samba passwords                                    
            $exe = '/usr/local/bin/mkntpwd ' . escapeshellarg($p) . ' 2>&1';                                                                  
            $spass = exec($exe, $retarray, $retval);                     
            if ($retval == '0' && preg_match('/^[0-9A-F]+:[0-9A-F]+$/', $spass)) {                                                            
                    list($lmpass, $ntpass) = explode(':', $spass);       
                    $newinfo['sambaLMPassword'] = $lmpass;               
                    $newinfo['sambaNTPassword'] = $ntpass;
            }
            $newinfo['userPassword'][0] = $cpass;
            ldap_modify($ds, $dn, $newinfo);
            ldap_close($ds);
            // echo "Passwords for $l changed to $cpass $lmpass $ntpass<br>\n";
            echo "Passwords for $l changed<br>\n";
    }
    
    $self = $_SERVER['PHP_SELF'];
    echo "<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>\n";
    echo "<html><title>Change password</title><body>\n";
    echo "<center>\n";
    echo "<img src='/icons/example-com.gif'><br>\n";
    echo "<h3>Change password</h3>\n";
    if (!isset($_POST['action']) || !$_POST['action'] == 'submitted') {
    ?>
    <form action="<?php echo $self ?>" method="post">
            <table border="0" summary="Password form">
            <tr><td align='right'>Username:</td><td align='left'><input type='text' name='login' /></td></tr>
            <tr><td align='right'>Old Password:</td><td align='left'><input type='password' name='password' /></td></tr>
            <tr><td align='right'>New Password:</td><td align='left'><input type='password' name='password1' /></td></tr>
            <tr><td align='right'>Retype New Password:</td><td align='left'><input type='password' name='password2' /></td></tr>
            </table>
            <br>
            <input type='hidden' name='action' value='submitted' />
            <input type='submit' name='submit' value='Change' />
    </form>
    <?php
    } elseif (trim($_POST['password1']) !== trim($_POST['password2'])) {
            echo 'New passwords do not match<br>';
            echo "<a href='$self'>Try again</a>";
    } else {
            ldapsearch();
    }
    echo "</center>\n";
    echo "</body></html>\n";
    ?>

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •