LDAP connection

Configuration file: self-service-password/conf/config.inc.php

Server address

Use an LDAP URI to configure the location of your LDAP server in $ldap_url:

$ldap_url = "ldap://localhost:389";

You can set several URI, so that next server will be tried if the previous is down:

$ldap_url = "ldap://server1 ldap://server2";

To use SSL, set ldaps in the URI:

$ldap_url = "ldaps://localhost";
LDAP certificate management in PHP relies on LDAP system libraries. Under Linux, you can configure /etc/ldap.conf (or /etc/ldap/ldap.conf on Debian/Ubuntu, or C:\OpenLDAP\sysconf\ldap.conf for Windows) to either:
  • Provide the certificate from the certificate authority that issued your LDAP server's certificate:
TLS_CACERT /etc/ssl/ca.crt
  • Or, disable server certificate checking:


Configure DN and password in $ldap_bindn and $ldap_bindpw:

$ldap_binddn = "cn=manager,dc=example,dc=com";
$ldap_bindpw = "secret";
You can leave these parameters empty to bind anonymously. In this case, the password modification must be done with user's credentials.

To use user's credentials when writing in LDAP directory, replace manager with user in $who_change_password:

$who_change_password = "user";

Search parameters

You can set the base of the search in $ldap_base:

$ldap_base = "dc=example,dc=com";

The filter can be set in $ldap_filter:

$ldap_filter = "(&(objectClass=person)(uid={login}))";
The string {login} is replaced by submitted login.

Special modes

Active Directory

Password in Active Directory is not managed like in other LDAP directories. Use option $ad_mode to use unicodePwd as password field:

$ad_mode = true;

You must also use SSL on LDAP connection because AD refuses to change a password on a clear connection. See this documentation to manage Active Directory certificates.

Adapt the search filter too:

$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
Due to PHP LDAP API limitations, changing password as user is not possible. You need to change it as manager.

You can tune some options:

  • Force unlock: will unlock a locked account when password is changed
$ad_options['force_unlock'] = true;
  • Force user to change password at next login:
$ad_options['force_pwd_change'] = true;


To manage compatibility with Windows world, Samba stores a specific hash of the password in a second attribute (sambaNTpassword). It also store modification date in sambaPwdLastSet. Use $samba_mode to manage these attributes:

$samba_mode = true;
You must enable Samba schema on your LDAP directory, else LDAP modifications will fail.


If using shadowAccount object class for users, you can update the shadowLastChange attribute when changing password:

$shadow_options['update_shadowLastChange'] = true;