* @website: http://technology.mattrude.com/2010/11/ldap-php-change-password-webpage/ * * * GNU GENERAL PUBLIC LICENSE * Version 2, June 1991 * * Copyright (C) 1989, 1991 Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * Everyone is permitted to copy and distribute verbatim copies * of this license document, but changing it is not allowed. */ $message = array(); $message_css = ""; function changePasswordLDAP($con, $user_dn, $newPassword){ global $message; $salt = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',4)),0,4); $encoded_newPassword = "{SSHA}" . base64_encode(pack("H*", sha1($newPassword.$salt)).$salt); $entry = array(); $entry["userPassword"] = "$encoded_newPassword"; if (ldap_modify($con,$user_dn,$entry) === false){ $error = ldap_error($con); $errno = ldap_errno($con); $message[] = "$errno - $error"; return false; } else { return true; } } function changePasswordSQL($user_realm, $newPassword) { global $message; foreach(["PGUSER", "PGPASSWORD", "PGDATABASE", "PGHOST"] as $k) { if (isset($_SERVER[$k]) && !isset($_ENV[$k])) { putenv("${k}=" . $_SERVER[$k]); } } $con = pg_connect(""); $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( $1 || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm)); if (!$result) { $message[] = "Error when accessing database"; return false; } else { return true; } } function changePassword($user,$oldPassword,$newPassword,$newPasswordCnf){ global $message; global $message_css; $server = "ldaps://ldap.immae.eu"; error_reporting(0); $con = ldap_connect($server); ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3); $user_dn = "uid=$user,ou=users,dc=immae,dc=eu"; if (ldap_bind($con, $user_dn, $oldPassword) === false) { $user_dn = "uid=$user,ou=group_users,dc=immae,dc=eu"; if (ldap_bind($con, $user_dn, $oldPassword) === false) { $message[] = "Error E101 - Current Username or Password is wrong."; return false; } } if ($newPassword != $newPasswordCnf ) { $message[] = "Error E102 - Your New passwords do not match!"; return false; } if (strlen($newPassword) < 6 ) { $message[] = "Error E103 - Your new password is too short.
Your password must be at least 6 characters long."; return false; } $user_search = ldap_search($con,"dc=immae,dc=eu","(uid=$user)"); $auth_entry = ldap_first_entry($con, $user_search); $mail_address = ldap_get_values($con, $auth_entry, "mail")[0]; $first_name = ldap_get_values($con, $auth_entry, "givenName")[0]; $existing_password = ldap_get_values($con, $auth_entry, "userPassword")[0]; if (substr($existing_password, 0, 6) == "{SASL}") { $result = changePasswordSQL(substr($existing_password, 6), $newPassword); } else { $result = changePasswordLDAP($con, $user_dn, $newPassword); } if (!$result) { $message[] = "E201 - Your password cannot be changed, please contact the administrator."; } else { $message_css = "yes"; mail($mail_address,"Password change notice","Dear $first_name, Your password on https://tools.immae.eu/ldap_password.php for account $user was just changed. If you did not make this change, please contact me. If you were the one who changed your password, you may disregard this message. Thanks -- Immae / Ismaƫl", "From: " . getenv("CONTACT_EMAIL")); $message[] = "The password for $user has been changed.
An informational email has been sent to $mail_address.
Your new password is now fully active."; } } ?> Password Change Page

Password Change Page

'; changePassword($_POST['username'],$_POST['oldPassword'],$_POST['newPassword1'],$_POST['newPassword2']); global $message_css; if ($message_css == "yes") { echo '
'; } else { echo '
'; $message[] = "Your password was not changed."; } foreach ( $message as $one ) { echo "

$one

"; } ?>