terminal_cli

Manage AD Users users via php script, and notify them on account expiration via e-mail

To manage AD users with PHP and the LDAP extension, you can follow these steps: Connect to the LDAP server using the ldap_connect() function and bind to the server with ldap_bind(). Use the ldap_search() function to search for users in the LDAP directory. Iterate through the search results using ldap_first_entry() and ldap_next_entry() to retrieve each…


To manage AD users with PHP and the LDAP extension, you can follow these steps:

  1. Connect to the LDAP server using the ldap_connect() function and bind to the server with ldap_bind().
  2. Use the ldap_search() function to search for users in the LDAP directory.

Iterate through the search results using ldap_first_entry() and ldap_next_entry() to retrieve each user’s information.

  1. Use ldap_get_attributes() to retrieve the user’s attributes, such as their name and account expiration date.
  2. If the user’s account is set to expire soon, send them an email notification using the PHP mail() function.
  3. Use ldap_modify() to update the user’s attributes, such as their account expiration date or password.
  4. Repeat steps 2-6 for each user you want to manage.

Example code:

<?php

// Connect to the LDAP server and bind
$ldapconn = ldap_connect("ldap.example.com");
ldap_bind($ldapconn, "cn=admin,dc=example,dc=com", "password");

// Search for all users
$search = ldap_search($ldapconn, "dc=example,dc=com", "(objectClass=user)");

// Iterate through search results
$entry = ldap_first_entry($ldapconn, $search);
while($entry) {
  // Retrieve user attributes
  $attrs = ldap_get_attributes($ldapconn, $entry);
  $name = $attrs["cn"][0];
  $expirationDate = $attrs["accountExpirationDate"][0];
  
  // Check if account is set to expire soon
  if($expirationDate - time() < 86400) {
    // Send email notification to user
    mail($attrs["mail"][0], "Account Expiration Warning", "Your account will expire in 24 hours. Please renew it to continue using it.");
  }
  
  // Update user attributes
  ldap_modify($ldapconn, $attrs["dn"], array("accountExpirationDate" =>; array(time() + 2592000)));
  
  // Move to next search result
  $entry = ldap_next_entry($ldapconn, $entry);
}

// Close LDAP connection
ldap_close($ldapconn);

?>;

To notify users when their accounts are already locked, you can add an additional check to the code above to check the “lockoutTime” attribute. If this attribute is set, the user’s account is locked. You can then send them an email notification with instructions on how to unlock their account.

To allow users to change their passwords via a PHP script, you can use the ldap_modify_batch() function to modify the “unicodePwd” attribute. This attribute is used to store the user’s password in an encrypted format. To change the password, you need to encode the new password in a special format and set it as the value of the “unicodePwd” attribute.

If you want that the user is prompted to change their password directly via a PHP form, you can create a HTML form and use PHP to process the form submission.

Here is an example of how to do this:

<html>
<head>
  <title>Change Password</title>
</head>
<body>
  <h1>Change Password</h1>
  <form action="changepassword.php" method="post">
    <label for="username">Username:</label><br>
    <input type="text" id="username" name="username"><br>
    <label for="oldpassword">Old Password:</label><br>
    <input type="password" id="oldpassword" name="oldpassword"><br>
    <label for="newpassword">New Password:</label><br>
    <input type="password" id="newpassword" name="newpassword"><br>
    <label for="confirmpassword">Confirm Password:</label><br>
    <input type="password" id="confirmpassword" name="confirmpassword"><br><br>
    <input type="submit" value="Change Password">
  </form> 
</body>
</html>

This HTML form contains four fields: “Username”, “Old Password”, “New Password”, and “Confirm Password”. When the user submits the form, it will be sent to the “changepassword.php” script for processing.

Here is the PHP script that processes the form submission:

<?php

// Connect to the LDAP server and bind
$ldapconn = ldap_connect("ldap.example.com");
ldap_bind($ldapconn, "cn=admin,dc=example,dc=com", "password");

// Retrieve form data
$username = $_POST["username"];
$oldPassword = $_POST["oldpassword"];
$newPassword = $_POST["newpassword"];
$confirmPassword = $_POST["confirmpassword"];

// Check if passwords match
if($newPassword != $confirmPassword) {
  echo "Error: New passwords do not match.";
  exit;
}

// Search for the user
$search = ldap_search($ldapconn, "dc=example,dc=com", "(cn=$username)");

// Retrieve user attributes
$entry = ldap_first_entry($ldapconn, $search);
$attrs = ldap_get_attributes($ldapconn, $entry);

// Check if account is locked
if(isset($attrs["lockoutTime"][0])) {
  echo "Error: Your account is locked. Please contact an administrator to unlock it.";
  exit;
}

// Check if old password is correct
$ldapbind = ldap_bind($ldapconn, $attrs["dn"], $oldPassword);
if(!$ldapbind) {
  echo "Error: Incorrect old password.";
  exit;
}

// Change password
$newPasswordEncoded = '"' . utf8_encode($newPassword) . '"';
$mod = array(
  array("attrib" => "unicodePwd", "modtype" => LDAP_MODIFY_BATCH_REPLACE, "values" => array($newPasswordEncoded))
);
ldap_modify_batch($ldapconn, $attrs["dn"], $mod);

// Close LDAP connection
ldap_close($ldapconn);

echo "Password changed successfully.";

?>