ldap_mod_replace

(PHP 4, PHP 5, PHP 7, PHP 8)

ldap_mod_replaceReplace attribute values with new ones

说明

ldap_mod_replace ( resource $ldap , string $dn , array $entry , array|null $controls = null ) : bool

Replaces one or more attributes from the specified dn. It may also add or remove attributes.

参数

ldap

An LDAP resource, returned by ldap_connect().

dn

The distinguished name of an LDAP entity.

entry

An associative array listing the attributes to replace. Sending an empty array as value will remove the attribute, while sending an attribute not existing yet on this entry will add it.

controls

Array of LDAP Controls to send with the request.

返回值

成功时返回 true, 或者在失败时返回 false

更新日志

版本 说明
8.0.0 controls is nullable now; previously, it defaulted to [].
7.3 Support for controls added

注释

Note: 此函数可安全用于二进制对象。

参见

User Contributed Notes

giodev at panozzo dot it 27-Feb-2020 07:50
An bettter method to create the unicodePwd Active Directory LDAP field from PHP is:

$unicodePwd = iconv("UTF-8", "UTF-16LE", "\"".$password."\"");

It works when $password is coming from a UTF-8 page. If your $password is not utf-8, change the 1st parameter of iconv.
dynamik 15-Feb-2013 06:11
Using this function to 'replace' an Active Directory password requires the "Reset Password" security permission as opposed to the "Change Password" permission (which is assigned by default to SELF)
Anonymous 01-Jun-2012 08:32
this can not be used to change a password on an AD server that requires you to send the old and new password.

in order to do this use on shuts an sever make an admin-account that allows to change other ppl pw without suppling the old password first.
plex909 30-Sep-2008 03:23
Here's an easy way to encode AD "unicodepwd" values from linux...

Download and install recode...
http://www.gnu.org/software/recode/recode.html

Then write something like this...
<?php
function ADUnicodePwdValue($plain_txt_value)
{
    return
str_replace("\n", "", shell_exec("echo -n '\"" . $plain_txt_value . "\"' | recode latin1..utf-16le/base64"));
}

$user["unicodepwd"] = ADUnicodePwdValue("my_password");

?>

[EDITOR thiago NOTE: The following text was sent by boyvanderlaak at gmail dot com as an important complement]

if you do not have access to your linux box but have Multibyte String enabled you could try the following for AD 2008:

<?php
$info
["unicodePwd"] = mb_convert_encoding('"' . $newPassword . '"', 'utf-16le');
?>
chris at mr2madness dot com 18-Sep-2007 07:44
You can use arrays for multiple attributes example:

<?php
$entry
[mail] = array("[email protected]","[email protected]");
$results = ldap_mod_add($ldapConnID,$dn, $entry);
?>
or as i did for creating anew user:
<?php
$adduserAD
["objectClass"] = array("top","person","organizationalPerson","user");
?>
mike dot rosile at interzonegames dot com 20-Jul-2007 09:01
Here is some great information from the OpenLDAP FAQs regarding changing a userPassword attribute with PHP:

http://www.openldap.org/faq/data/cache/347.html

$userpassword = "{SHA}" . base64_encode( pack( "H*", sha1( $pass ) ) );
aaronfulton at softhome dot net 03-Dec-2006 08:24
Before you modify values in your ldap directory, first make sure that you have permission to do so.  In openldap adding the following acl in slap.conf will allow the user to modify their own userpassword.

access to attr=userPassword
        by self write
        by anonymous auth
        by * none
erwann at zeflip dot com 04-Oct-2006 10:41
If you do not wish to set up SSL on your active directory, and you are running on Windows, you can use COM and ADSI to set the new password for a user, or to active a user:

<?PHP
// to set a user password
  // server is the ldap server
  // newuser_dn is the full dn of the user you want to modify
  // newuser_password is the password you wish to set for the user

   
$ADSI = new COM("LDAP:");
   
$user = $ADSI->OpenDSObject("LDAP://".$server."/".$newuser_dn, $adminuser, $adminpassword, 1);
   
$user->SetPassword($newuser_password);
   
$user->SetInfo();

// to activate a user
   
$ADSI = new COM("LDAP:");
   
$user = $ADSI->OpenDSObject("LDAP://".$server."/".$newuser_dn, $adminuser, $adminpassword, 1);
   
$user->AccountDisabled = false;
   
$user->SetInfo();

?>
frederic dot jacquot at insa-lyon dot fr 09-Jun-2004 04:26
Changing a user password in Active Directory.
Securely connect (using ldaps) to the Active Directory and bind using an administrator account.

In this example, $userDn contains the dn of the user I want to modify, and $ad is the Active Directory ldaps connection)

$newPassword = "MyPassword";
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for ($i = 0; $i < $len; $i++)
        $newPassw .= "{$newPassword{$i}}\000";
$newPassword = $newPassw;
$userdata["unicodepwd"] = $newPassword;
$result = ldap_mod_replace($ad, $userDn, $userdata);
if ($result) echo "User modified!" ;
else echo "There was a problem!";

I found it hard to get a proper encoding for the unicodepwd attribute so this piece of code might help you ;-)
18-Jul-2002 11:32
Sometime,we cannot replace ldap_mod_replace  function  with ldap_mod_del function and ldap_mod_add fuction .We  don't have permission to delete an attribute but  we can replace it.
ondrej at sury dot cz 26-Feb-2002 05:31
in openldap 2.0.x you can use method with mod_del/mod_add only if the attribute have defined EQUALITY rule.
JoshuaStarr at aelana dot com 30-Aug-2001 11:28
To modify an attribute with a single value:
  $entry[mail] = "[email protected]";
  $results = ldap_mod_add($ldapConnID,$dn, $entry);

To modify an attribute with multiple values:
  $entry[mail][] = "[email protected]";
  $entry[mail][] = "[email protected]";
  $results = ldap_mod_add($ldapConnID,$dn, $entry);

To modify multiple attributes
  $entry[mail][] = "[email protected]";
  $entry[mail][] = "[email protected]";
  $entry[c]      = "US";
  $results = ldap_mod_add($ldapConnID,$dn, $entry);
oyvindmo at initio dot no 30-Nov-2000 04:57
ldap_mod_replace() and ldap_modify() are _exactly_ the same.  So, the comment that ldap_mod_replace() "performs the modification at the attribute level as opposed to the object level", has no root in reality.
yife at myrice-ltd dot com 16-Nov-2000 01:57
if i want to replace the special attribute but i don't replace other attribute ,i just use "ldap_mod_del" and "ldap_mod_add" ,the function seems to that