TijnvW TijnvW - 10 months ago 74
PHP Question

Change password or add user in LDAP with PHP

Since a recent update in my LDAP server (using Directory Server v2.1-2428 on a Synology NAS running DSM 6, latest subversion) I cannot change a password (or a new user containing a password) using PHP.

Before the update, I used PHP ldap_add or ldap_mod with the userPassword attribute. However, now I get the error message

Warning: ldap_add(): Add: Constraint violation
when trying to create a new userPassword.

When creating a new user via the admin GUI on the NAS, I can look up the userPassword entry, which appears in the database as follows (slightly modified for privacy):

This means the database accepts SSHA-512 password entries right?

Thing I've tried to add a new password:

  1. Adding exactly the same password hash as displayed above as userPassword
    --> Constraint violation error

  2. Trying to look up the password algorithm in the NAS' source code. This revealed the following line:
    rootpw {CRYPT}$1$CL$0fRYicA9KsmHaiV1SRj5q/
    Simply using this as new password doesn't work either.

  3. Look up a different PHP function, like an equivalent to Linux command ldappasswd, but this doesn't seem to exist for PHP.

Of course I'd prefer to use a proper hashing/encryption mechanism like SSHA-512, but I'm not sure what is and what isn't supported by Directory Server.

I really hope someone can bring me a step further! If I should further clarify things, please let me know.

Answer Source

In the end, the solution was to ask Synology over and over te help finding a solution. They changed the password policy back to version before the update to v2.1-2428, now it works again.

If there would be another solution available which is compatible with recent versions of OpenLDAP, sharing would be greatly appreciated.