I have access to an Active Directory that enforces a 5 password history restriction. Any password in the last 5 passwords you have, is not a viable candidate to be set or reset as your password.
I am using php and am trying to use ldap calls to reset a user’s password. I can reset the password just fine using the ldap_modify call. Unfortunately though, ldap_modify does not care at all about the Active Directory’s password history rule, and it will reset the password to anything you choose with no warnings or errors.
Is there any way have ldap respect this restriction?
I have researched this for some time, but have not found any solid solution. Any hints or comments are much appreciated!
The directory server should return a non-zero result code in the MODIFY response if the MODIFY fails for any reason. In the event of an attribute constraint violation (for example, a password that is in history, or insufficient time has passed since the last password change, or any other attribute constraint violation) the directory server must return the integer result code for a constraint violation (19).
The LDAP protocol has no knowledge of how server implementations deal with password policies. An LDAP client must use the result code as described above to make a determination of whether an LDAP request succeeded. That is, the LDAP client is isolated from server implementations.
Whether a user entry is subject to a password policy – or any other attribute constraint determination – is up to server, not the protocol. If the MODIFY request succeeds even though the client expects it to fail, the problem lies on the server side or with the constraints of the password policy.