LDAP User: Can't provision from Drupal to Active Directory because password not sent as unicode

This is a duplicate of another current issue.

These are the 3. If these are not appropriate, pleas continue with this.
#1718200: LDAP User: Create options for setting password in provisioning of ldap entries
#1884962: LDAP Users: Password encryption token options available for Provisioning to LDAP of drupal password.
#1838896: LDAP User: When provisioning from Drupal to LDAP a random password is always used regardless of selecting User or Random.

I'm gonna reopen this issue. I encountered the same problem.
It's a very specific Active Directory 'change password' problem.
When mapping the password to the unicodePwd attribute. To make it possible to change your AD-password from Drupal, there are specific requirements. See http://stackoverflow.com/questions/10763070/ldap-mod-replace-function-ld...

Main reasons are

1. you need to use an SSL connection (ldaps://)
2. the password needs to be enclosed in quotes
3. the (quoted) password needs to be encoded in 16-bit unicode (UTF-16LE)

This code above solves the last two issues.

i managed to get this working, by hacking this code in LdapServer.class.php more specific just before the ldap_modify call on line 564.
(This probably only works for account update, not account creation).
LdapServer.class.php line 564

if (count($attributes) > 0) {
      if(isset($attributes['unicodePwd'])){
        $newpassword = $attributes['unicodePwd'];
        $newpassword = "\"" . $newpassword . "\"";
        $len = strlen($newpassword);
        $newpass = '';
        for ($i = 0; $i < $len; $i++) {
          $newpass .= "{$newpassword{$i}}\000";
        }
        $attributes['unicodePwd'] = $newpass;
      }
      $result = @ldap_modify($this->connection, $dn, $attributes);
      if (!$result) {
        $error = "LDAP Server ldap_modify(%dn) in LdapServer::modifyLdapEntry() Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
        $tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
        watchdog('ldap_server', $error, $tokens, WATCHDOG_ERROR);
        return FALSE;
      }
    }

I assume this better belongs some way in the LdapTypeActiveDirectory.class.php class, but i have no idea, how to isolate this code there.

This solved my problem. Here are those changes made into a patch.

The patch looks good. But there should be an option in the UI to specify this type of behavior or in the token system.

I have been working with the ldap module for the past week, and have made a patch to contribute back to the project. There are two problems which caused me lots of debugging, and I have both bugfixes in this patch. One being unicodePwd, the other being a bug I haven't seen reported ("Pwd: User Only" not being set with my site's registration form).

I can appreciate why johnbarclay suggests to have an option in the UI. However the code I wrote is very particular - it will only change the unicodePwd field, and only if the LDAP server type is set to Active Directory (which is a UI option). I can think of no use case in which this change would have an adverse impact.

The other change I made is adding a hook so that the function ldap_user_grab_password_validate($form, &$form_state) will be called if the FORM_ID is user-pass-reset (in addition to the previously defined hooks which call the function).

Also, I have noticed that there is a similar function that appears to be intended for Active Directory, but it is implemented in a different way and doesn't work for me. I am thinking it is defunct in general (and works for nobody). It is called "ldap_password_modify". I have left it alone, but I am thinking it probably should be deleted.

#8 works. Thanks!

#8 works good for AD 2012
Thanks

Thanks for the feedback guys. Although the patch is 2 years old, it still applies fine to my local clone of branch 7.x-2.x . Should the issue's status be changed to RTBC so that the patch may be committed?

Johnbarclay (the maintainer) already replied, this should be configurable behaviour. (Which i fully agree). So if anyone could take care of that, i'm sure this could be merged. But it can't be committed as is, since this would break other backends.

But it can't be committed as is, since this would break other backends.

I think the patch I proposed would not break other backends. The patch restricts the behavior to Active Directory servers. From what I gather, Active Directory always needs the string to be in this format (and no other backend does). So I don't see any technical reason to add a configuration option. Or am I missing something?

Updating to "Needs review" - I don't see any current testbot failures. Earlier testbot failures were caused by a composer require failure which is unrelated to this patch.

Looks good, committed.

I agree with nullkernel, this is type-specific and should not break other backends.

Moving this issue back to needs work for porting it to 8.x. Patches are welcome!

Any updates on the 8.x fix?
I'm having the same issue. :\

Try the attached please.

grahl,

thanks for this password patch. couldn't have been better timed for a project i'm working on.

only hiccup: any idea why the 8.x patch would fail?

Could not apply patch! Skipping. The error was: Cannot apply patch https://www.drupal.org/files/issues/activedirectory-unicodepw-1954744-21.patch

@caiobianchi: Patch working?

I applied this patch for version 8.x-3.0-alpha1+45-dev and worked well

Thanks for the feedback, committed.