2
votes

I'm attempting to write a bit of code that will allow users to change their expired Active Directory passwords via a PHP web interface. Due to limitations with PHP's ldap library's*, it seems the only way to do this is by generating an ldif and then passing this directly to ldapmodify.

The code I've come up with (minus the vars) is:

ldapmodify -H {$ad_server} -D '{$dn}' -w {$old} <<!
dn: {$dn}
changetype: modify
delete: unicodePwd
unicodePwd:: {$oldPassword}
-
add: unicodePwd
unicodePwd:: {$newPassword}
-
!

The code appears to work fine when I paste the generated code straight in to my console, but so far I've had no luck running it from PHP.

I originally tried passing the code to exec, only to get exitcode 247(which doesn't appear to be a real thing)

I then attempted to use proc_open instead, which provided the current error

ldapmodify: invalid format (line 5) entry: " ... "

So far as I can see the only thing on line 5 is a "-". So I'm a bit stuck as to what could be wrong.

P.S. I also read this post LDIF file error?? Invalid Format? which reported a similar problem, although assuming the encoding of the "-" character is the issue, I'm not sure what I can really do with it from with PHP (mb_string_encoding the whole string into utf-8 doesn't appear to have any effect)

This is also running on a solaris machine which may also be a factor.

*PHP is unable to perform two actions within a single command, somthing that is required in order to do a user password change in AD. (so far as I'm aware)

Edit: No sure why this is getting downvotes, but I'd be happy to be told I'm an idiot if I'm doing something patently stupid without noticing (so long as you point out what that is, as I've been stuck on this for a while now)

1
I suspected line endings, but probably doesn't warrant a downvote. I'm getting stuck on this same thing today.Dustin Graham

1 Answers

5
votes

Thanks to some help from the #ldap channel on freenode it turns out I am indeed an idiot (especially considering that I've been poking and prodding this for most of the day).

It seems ldapmodify does not like it when an LDIF contains a windows new line characters after the "-" Switching line endings from windows to unix in sublime has fixed the problem for me*.