I had to give up on PHP and go to Perl, but it turned out not to be so bad. Users can now change their Active Directory passwords via a self-service web page that doesn’t require admin credentials. The Perl code is below. Authentication to the script is done via .htaccess LDAP authentication, so the REMOTE_USER env variable is assumed to contain the user’s username (sAMAccountName) by the time this script is called. There is a simple check for $ENV{HTTPS} to ensure the script is called via SSL, and AD requires password changes to be done via ldaps, so the whole thing should be encrypted end to end.
(Edited 5/14/2010 to replace the inlined Perl script with a link to the script as a text file.)
Evan Hoffman's Blog 
Instead of using charmap. you can convert the password to UTF16 Little Endian in a simple fashion using just Unicode::String
my $UTF16pass = Unicode::String::utf8(“\”$password\””)->utf16le();
Which makes more sense than byte swap.
Does the modify method work for password reset?
I found that i had to use an admin account with replace to get it to work. And most sites I saw said the modify method was broken with Active Directory.
Actually, I tried a bunch of different things and some of them worked “halfway.” I sent raw LDIF records directly to the AD server and that worked, so I assumed there had to be some way to do it via code, even if it came down to opening a raw socket. The Perl script I have in use does work though, with the “modify” command. I think as long as the delete/add takes place in a single transaction (and you provide the old password) it does work. The problem with PHP, iirc, was that it implemented the delete/add as two separate operations.
Hi Evan,
I need your script, becouse I have linux machine integrated with Active Directory (ldap only, not kerberos) and need change user password, but I don’t know to check your script, I don’t know perl and php. Can you said me that steps (conceptual) I have to check it?
A lot of thanks
P.D: Sorry for my English
Hi Ivan,
can u advise me how to call this perl script through php.I gues si can use passthrough but i ness to pass parameters like basedn,userid,pwd etch.
Kindly advise
Thank you very much! I think it would be convenient to include a link for the .htaccess LDAP authentication such as this one: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html#LDAP
A working .htaccess with LDAP auth is here:
http://www.evanhoffman.com/evan/?p=298
Evan
First of all, thanks for this great information.
I’m trying to do this on Red Hat 6 and found that Unicode::String is not available. After looking into what it would take to install this module I found that perl has encoding capability built in that will do the trick. Here’s the code to do the encoding I was able to get to work:
use Encode qw(encode decode);
my $oldUniPW = encode(“UTF-16LE”,'”‘.$oldpw.'”‘);
my $newUniPW = encode(“UTF-16LE”,'”‘.$newpw.'”‘);
Thanks for this, really helped me out. For others trying to do this in python you need something like this:
c.modify_s(dn, [(ldap.MOD_DELETE, ‘unicodePwd’, old_password), (ldap.MOD_ADD, ‘unicodePwd’, new_password)])
this performs a password CHANGE. if you have bound with a user who has password RESET power you can do this:
c.modify_s(dn, [(ldap.MOD_REPLACE, ‘unicodePwd’, new_password)])
You need to be connected using SSL (via port 636) and since most AD servers appear to use selfsigned certs you will have to either add the cert to your tool chain or do something like this:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
ldap.set_option(ldap.OPT_REFERRALS, 0)
(not sure what the second line is for).
Oh, one last thing, to make those passwords use this:
new_password = unicode(“”” + ‘secret’ + “””, “iso-8859-1”).encode(“utf-16-le”)
For those with access to Unix/Linux and Samba (smbpasswd), chADpasswd.cgi might be a good and simple start for building a web page for allowing users to change their Windows domain passwords. It works out of the box, but is only 120 lines of code and so it uses very simple HTML, has no themes, etc. It can be found in CPAN at: http://www.cpan.org/authors/id/H/HI/HIGHTOWE/