Skip to content

Instantly share code, notes, and snippets.

@dangtrinhnt

dangtrinhnt/massreset.php

Created August 27, 2014 07:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dangtrinhnt/bd0aa2a95b7472377b48 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dangtrinhnt/bd0aa2a95b7472377b48 to your computer and use it in GitHub Desktop.
Download ZIP
Mass reset AD accounts's password
Raw
massreset.php
<?php
// Using the LTB Self Service Password's functions
// LTB-project.org
$ldap_url = "ldaps://<your active directory address>";
$ldap_binddn = "cn=manager,dc=example,dc=com";
$ldap_bindpw = 'MyPassword';
$ldap_base = "dc=example,dc=com";
$ldap_filter = "(&(objectClass=user)(description=Student*)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$defaultpwd = 'MyDefaultPassword';
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options['force_unlock'] = true;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
# Warning: this require mhash() to be installed on your system
$samba_mode = false;
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = false;
# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# This option is not used with ad_mode = true
$hash = "clear";
$who_change_password = "manager";
require_once("lib/functions.inc.php");
if(isset($argv[1]) && ($argv[1] !== '')){
# Strip slashes added by PHP
$login = stripslashes_if_gpc_magic_quotes($argv[1]);
#==============================================================================
# Check username
#==============================================================================
# Connect to LDAP
$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
# Bind
if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
$bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
} else {
$bind = ldap_bind($ldap);
}
$errno = ldap_errno($ldap);
if ( $errno ) {
error_log("LDAP - Bind error $errno (".ldap_error($ldap).")");
echo "LDAP - Bind error $errno (" . ldap_error($ldap) . ")\n";
exit(1);
} else {
# Search for user
$ldap_filter = str_replace("{login}", $login, $ldap_filter);
$search = ldap_search($ldap, $ldap_base, $ldap_filter);
$errno = ldap_errno($ldap);
if ( $errno ) {
$result = "ldaperror";
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
echo "LDAP - Search error $errno (" . ldap_error($ldap) . ")\n";
exit(1);
} else {
# Get user DN
$entry = ldap_first_entry($ldap, $search);
$userdn = ldap_get_dn($ldap, $entry);
if( !$userdn ) {
$result = "badcredentials";
error_log("LDAP - User $login not found");
echo "LDAP - User $login not found\n";
exit(1);
}
# Rebind as Manager if needed
if ( $who_change_password == "manager" ) {
$bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
}
}
}
#==============================================================================
# Change password
#==============================================================================
$result = change_password($ldap, $userdn, $defaultpwd, $ad_mode, $ad_options, $samba_mode, $shadow_options, $hash, $who_change_password);
exit(1);
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment