Re: Web based LDAP password modification

["Kervin L. Pierre" <kervin@blueprint-tech.com>]

It's probably a good idea to avoid C-type "system()" calls whenever 
possible from the web.  They're slower than the rest of your code and 
they open a shell as the web user.

Using system() for changing a password also has the added problem of 
that a well constructed password can be used to comprise your webserver 
if you're not very careful.

Whatever language you choose, I'd suggest that you use that languages 
built in LDAP API and not system/passthrough etc.

In PHP, here are the two lines in the script used to change user 
passwords...

$entry['userpassword'] ="{md5}".base64_encode(pack("H*",md5($newpass)));
$r = ldap_mod_replace($ds, $dn, $entry);

I use the MD5 hash.  $newpass is the user's new cleartext password.  $ds 
is the connection after a ldap_connect() and ldap_bind(). $dn is the 
user DN being modified.

--Kervin


Christian W Pohl wrote:
> Hi Paul,
>
>
> I think perl is the right way.
> If you don't like to link all modules needed for Net::LDAP, why dont you 
> just use the normal ldapsearch/modify commands via
> the system command (and some temporary files)?
>
> But I think it is better to get Net::LDAP run properly. The module says 
> what other modules are needed if you try to install it. In my case there 
> were 7 modules I think, but it was no big problem (unfortunately I have 
> the module list at home :(
>
> Kind regards,
>
> Chris


--
-------------------------------------------------
Kervin Pierre
kervin@blueprint-tech.com
kervin@kervin.net