Edit report at https://bugs.php.net/bug.php?id=45477&edit=1
ID: 45477 Comment by: asa_martin at hotmail dot com Reported by: alexis dot robert at gmail dot com Summary: ldap_mod_del() fails to remove attribute Status: No Feedback Type: Bug Package: LDAP related Operating System: * PHP Version: 5.2.6 Block user comment: N Private report: N New Comment: The problem with ldap_mod_replace is that it performs a single replace operation. In Active Directory a single replace operation is the equivalent to resetting the password. To change a password one must delete and add. By default users have permission to change their own password but not to reset their own password. >From msdn http://msdn.microsoft.com/en-us/library/cc223248.aspx When a DC receives an LDAP Modify request to modify this attribute, it follows the following procedure: If the Modify request contains a delete operation containing a value Vdel for unicodePwd followed by an add operation containing a value Vadd for unicodePwd, the server considers the request to be a request to change the password. The server decodes Vadd and Vdel using the password decoding procedure documented later in this section. Vdel is the old password, while Vadd is the new password. If the Modify request contains a single replace operation containing a value Vrep for unicodePwd, the server considers the request to be a administrative reset of the password, that is, a password modification without knowledge of the old password. The server decodes Vrep using the password decoding procedure documented later in this section and uses it as the new password. Previous Comments: ------------------------------------------------------------------------ [2013-02-18 00:33:55] php-bugs at lists dot php dot net No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. ------------------------------------------------------------------------ [2010-05-21 12:11:05] m...@php.net What's wrong with http://php.net/ldap_mod_replace ? ------------------------------------------------------------------------ [2010-04-25 15:58:25] alexis dot robert at gmail dot com Is it solved in the main tree ? Else, can somebody can review my patch and tell me how it is ? I know it's a bit old (and maybe it needs a resync) but I had a lot of work to do this past two years for my classes. Thanks in advance :) Alexis ------------------------------------------------------------------------ [2008-08-19 11:51:34] alexis dot robert at gmail dot com I've done a patch which fixes the bug. It creates a ldap_mod_deleteadd function which delete an attribute and adding it in the same LDAP request. Some parts of the code is imported from pam_ldap. This bug also appears with MS Active Directory (when you bind without admin rights). The syntax is pretty obvious (but not very clean asap, i wanted to know if you like it before making it as pretty as ldap_mod_replace) : ldap_mod_deleteadd(resource link, string dn, string attr, string old, string new[, boolean binary = false]) The boolean binary attribute is here for AD which uses an unicode encoded password (and so needs LDAP_MOD_BVALUES). Currently waiting for your insults :) Alexis (The patch is at : http://alexis.robertlan.eu.org/tmp/001-ldap_php-add-mod_deleteadd.diff - created by cvs diff) ------------------------------------------------------------------------ [2008-07-18 11:56:50] alexis dot robert at gmail dot com OK. I've done a *lot* of researchs (trying to make TLS/SSL work, and some other fun things -- I hate certificates) and I discovered by analysing with tcpdump/wireshark that the current Java program make the delete+add orders in the same request, when my PHP software makes it in two different requests. So, NDS refuses to let the users have no userPassword attribute for a short period of time : that is the reason of the "Server unwilling to perform". As I don't think we can queue the requests in a FIFO-like stack in php_ldap's API, is it possible to send a LDIF using php_ldap ? That sounds to be a great solution. Thanks a lot Alexis ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=45477 -- Edit this bug report at https://bugs.php.net/bug.php?id=45477&edit=1
