php ldap-bind expired password

依然范特西╮ 提交于 2019-12-23 17:21:19

问题


I am using the adldap plugin to connect to a Windows Server AD but my issue is with php ldap_bind as far as I can tell.

When a user types in an incorrect password, the error returned from ldap_error (which is used by adldap) is 'Invalid Credentials'. So far so good.

The problem arises when a user's password expires or in AD the user is set to change password on next logon (new user, password reset, etc). In this case whatever password the user enters to authenticate, ldap_error returns 'Invalid Credentials'. This means that I cannot tell if the user actually knows the expired password or not.

Has anyone got any idea how I can get around this issue?


回答1:


Since I had the same problem I searched and found a solution.

define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032)

$handle = ldap_connect('ldap://active.directory.server/');
$bind = ldap_bind($handle, 'user', 'expiredpass');

if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
    echo "Error Binding to LDAP: $extended_error";
} else {
    echo "Error Binding to LDAP: No additional information is available.";
}

This returns something like this:

Error Binding to LDAP: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 773, v2580

Important part is the Code after 'data' which represents the LDAP sub codes for error code 49.

You may parse the sub code using this function:

function parseExentedLdapErrorCode($message) {
    $code = null;
    if (preg_match("/(?<=data\s).*?(?=\,)/", $message, $code)) {
        return $code[0];
    }
    return null;
}


来源:https://stackoverflow.com/questions/31378207/php-ldap-bind-expired-password

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!