问题
I am using the adldap plugin to connect to a Windows Server AD but my issue is with php ldap_bind as far as I can tell.
When a user types in an incorrect password, the error returned from ldap_error (which is used by adldap) is 'Invalid Credentials'. So far so good.
The problem arises when a user's password expires or in AD the user is set to change password on next logon (new user, password reset, etc). In this case whatever password the user enters to authenticate, ldap_error returns 'Invalid Credentials'. This means that I cannot tell if the user actually knows the expired password or not.
Has anyone got any idea how I can get around this issue?
回答1:
Since I had the same problem I searched and found a solution.
define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032)
$handle = ldap_connect('ldap://active.directory.server/');
$bind = ldap_bind($handle, 'user', 'expiredpass');
if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
echo "Error Binding to LDAP: $extended_error";
} else {
echo "Error Binding to LDAP: No additional information is available.";
}
This returns something like this:
Error Binding to LDAP: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 773, v2580
Important part is the Code after 'data' which represents the LDAP sub codes for error code 49.
You may parse the sub code using this function:
function parseExentedLdapErrorCode($message) {
$code = null;
if (preg_match("/(?<=data\s).*?(?=\,)/", $message, $code)) {
return $code[0];
}
return null;
}
来源:https://stackoverflow.com/questions/31378207/php-ldap-bind-expired-password