如何使ldap尊重php中的Active Directory密码历史记录 [英] How to make ldap respect Active Directory password history in php
问题描述
我有权执行5个密码历史记录限制的Active Directory.您拥有的最近5个密码中的任何一个都不适合作为设置或重置密码的候选方法.
I have access to an Active Directory that enforces a 5 password history restriction. Any password in the last 5 passwords you have, is not a viable candidate to be set or reset as your password.
我正在使用php,并且正在尝试使用ldap调用来重置用户密码.我可以使用ldap_modify调用重设密码.遗憾的是,ldap_modify根本不关心Active Directory的密码历史记录规则,它将密码重置为您选择的任何内容,而不会发出警告或错误.
I am using php and am trying to use ldap calls to reset a user's password. I can reset the password just fine using the ldap_modify call. Unfortunately though, ldap_modify does not care at all about the Active Directory's password history rule, and it will reset the password to anything you choose with no warnings or errors.
ldap有没有办法遵守此限制?
Is there any way have ldap respect this restriction?
我对此进行了一段时间的研究,但未找到任何可靠的解决方案.任何提示或评论都将不胜感激!
I have researched this for some time, but have not found any solid solution. Any hints or comments are much appreciated!
推荐答案
如果由于任何原因MODIFY失败,目录服务器应在MODIFY响应中返回非零结果代码.如果发生属性约束冲突(例如,历史密码,或者自上次更改密码以来没有足够的时间,或者发生了其他任何属性约束冲突),则目录服务器必须返回
The directory server should return a non-zero result code in the MODIFY response if the MODIFY fails for any reason. In the event of an attribute constraint violation (for example, a password that is in history, or insufficient time has passed since the last password change, or any other attribute constraint violation) the directory server must return the integer result code for a constraint violation (19).
LDAP协议不知道服务器实现如何处理密码策略. LDAP客户端必须使用如上所述的结果代码来确定LDAP请求是否成功.也就是说,LDAP客户端与服务器实现隔离.
The LDAP protocol has no knowledge of how server implementations deal with password policies. An LDAP client must use the result code as described above to make a determination of whether an LDAP request succeeded. That is, the LDAP client is isolated from server implementations.
用户条目是否受密码策略(或其他任何属性约束确定)的约束,取决于服务器,而不取决于协议.如果即使客户端希望它失败,MODIFY请求也会成功,则问题出在服务器端或受到密码策略的约束.
Whether a user entry is subject to a password policy - or any other attribute constraint determination - is up to server, not the protocol. If the MODIFY request succeeds even though the client expects it to fail, the problem lies on the server side or with the constraints of the password policy.
这篇关于如何使ldap尊重php中的Active Directory密码历史记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
