Password plugin ldap_simple driver cannot change AD plugin when using ldap_method is set to user

[conathan]

Prerequisites

• I have searched for duplicate or closed issues
• I can recreate the issue with all plugins disabled

Describe the issue

When attempting to change the ldap password for a user, we get "Insufficient access" when using ldap_simple.

Reviewing https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2, It looks like it is required to do a REMOVE and ADD ldap operation when you are running as a non admin user.

https://gist.githubusercontent.com/aysiu/0d8ddfa812251f74e5aed65d197cfadb/raw/2c680d7c616d6198182a8f3247e4eae67ca9ae40/ChangeADPassword.php - also has a working example of how this can work.

I patched plugins/password/drivers/ldap_simple.php with the following to make this work with ActiveDirectory (Probably should not be applied as is, as I imagine this should be limited to ActiveDirectory environments.

if($rcmail->config->get('password_ldap_method') == "user" && $pass_mode == "ad") {
  $modifications = [
    [
      //"attrib"  => "unicodePwd",
      "attrib"  => $pwattr,
      "modtype" => LDAP_MODIFY_BATCH_REMOVE,
      "values"  => [password::hash_password($curpass, $pass_mode)],
    ],
    [
      //"attrib"  => "unicodePwd",
      "attrib"  => $pwattr,
      "modtype" => LDAP_MODIFY_BATCH_ADD,
      "values"  => [$crypted_pass],
    ],
  ];

  $this->_debug("C: Modify {$this->user}: " . print_r($modifications, true));

  if (!ldap_modify_batch($this->conn, $this->user, $modifications)) {
    $this->_debug("S: ".ldap_error($this->conn));

ldap_get_option($this->conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
$this->_debug("S: $extended_error");

    $errno = ldap_errno($this->conn);

    ldap_unbind($this->conn);

    if ($errno == 0x13) {
      return PASSWORD_CONSTRAINT_VIOLATION;
    }
    return PASSWORD_CONNECT_ERROR;
  }

} else {
        $this->_debug("C: Modify {$this->user}: " . print_r($entry, true));

        if (!ldap_modify($this->conn, $this->user, $entry)) {
            $this->_debug("S: ".ldap_error($this->conn));

            $errno = ldap_errno($this->conn);

            ldap_unbind($this->conn);

            if ($errno == 0x13) {
                return PASSWORD_CONSTRAINT_VIOLATION;
            }

            return PASSWORD_CONNECT_ERROR;
        }
}

Also unrelated to the above (so out of scope of this ticket), but I saw mentions that ActiveDirectory should hve LDAP_OPT_REFERRALS set to 0
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); - all my testing had that set

What browser(s) are you seeing the problem on?

Firefox

What version of PHP are you using?

8.0

What version of Roundcube are you using?

1.6.8

JavaScript errors

No response

PHP errors

[23-Jan-2024 11:46:11 Canada/Pacific] PHP Warning: ldap_modify(): Modify: Insufficient access in /home/webapps/roundcube-bravenet/shared/www/roundcubemail.20240123095600/plugins/password/drivers/ldap_simple.php on line 92

[alecpl]

Did you try ldap_samba_ad driver?

[alecpl]

Heh, I just noticed that ldap_modify is an alias of ldap_mod_replace. So this driver will have the same issue.