Description: ------------ On some LDAP servers, some attributes can be added or deleted, but no queried. On MS Active Directory, the "unicodePwd" attribute is one such example. Right now, Net_LDAP2 cannot change MS AD user password because of this. To change an AD users password, first you delete the "unicodePwd" attribute with the current password as the value, then you add a new "unicodePwd" attribute with the new password as its value. These must be done in the same transaction. It appears two changes need to be made: Net_LDAP2_Entry->delete needs to not check for attribute existance before appending the delete operation to the _changes array, and Net_LDAP2_Entry->update should perform delete operations before add operations (which, to me at least, makes sense anyways).

Hello and thank you for your submission! The operation must be performed by a call to "replace", which does replace an attribute with an new value. If the whole attribute is to be replaced (always the case with single value attributes such as passwords), you should not need to give the old password. Please try to reset the password using the replace() operation followed by an update() and tell me, if that worked....

Unfortunately, with AD, you must delete the "unicodePwd" attribute with a value, then add "unicodePwd" with another value. Replace only deletes the attribute (with no value) then adds it (with a value), which won't work. replace will work if you're doing an administrative password reset, but it would be really great to do password changes (as they do not require an administrator login).

Have you tried this or did you just guess? As far as i remember, replace() does a one-step replacement of the attribute.

Yes, I tried it. The name/value delete then name/value add is the only way for a non-Administrative user to change their password over LDAP with Active Directory (which makes sense... AD needs the user's old password to confirm it's validity). Here's the documentation: http://msdn.microsoft.com/en-us/library/cc223248%28PROT.10%29.aspx The replace process works fine - if you bind as an administrator (which seems bad due to the security implications).

Okay, thank you for your feedback. The main problem now is, that i don't have an AD to test, so i will need your help on this. I will dig into the code the next days and try to figure out how to best deal with this, your suggestions from your first post will be of much use i think. Please feel free to bother me next week if i do not respond again, as i have some projects in hot phases and may forget about my research work here.

Hello, unfortunately i could not manage to get an AD here, so i cant develop that fix in the near future. It would be cool, if you would have a try on it and develop an patch for this.

The problem here seems, that Net_LDAP2 does not see the old password value and so thinks, the attribute is empty. Please try to force the replacement when calling replace(): $force = true; $entry->replace(..., $force); You could also try the following: - set up a "fresh" entry with the corresponding password values - mark the entry as existing - perform the password replacement <?php $dn = $oldentry->dn(); $oldpw = 'foo1234'; $newpw = '1234foo'; $entry = Net_LDAP2_Entry::createExisting($dn, array('unicodePwd' => $oldpw)); $entry->setLDAP($ldap); $entry->replace('unicodePwd' => $newpw); $entry->update(); Does this work too?