PHP and OPENLDAP, can't change password expired error: Invalid credentials-ThrowExceptions

Exception or error:

I configured my OPENLDAP ($OpenLDAP: slapd 2.4.44) with passowod policy as below:

dn: cn=DefaultPPolicy,ou=Policies,cn=Manager,dc=mydomain,dc=com
 cn: DefaultPPolicy
 objectClass: pwdPolicy
 objectClass: device
 objectClass: top
 pwdAttribute: userPassword
 passwordExp: ON
 pwdMaxAge: 2592000
 pwdExpireWarning: 2160000
 pwdInHistory: 3
 pwdCheckQuality: 1
 pwdMinLength: 8
 pwdMaxFailure: 3
 pwdLockout: TRUE
 pwdLockoutDuration: 30
 pwdGraceAuthNLimit: 0
 pwdFailureCountInterval: 0
 pwdMustChange: TRUE
 pwdAllowUserChange: TRUE
 pwdSafeModify: FALSE
 pwdReset: TRUE

Now I wrote this PHP function to update the password.

function checkPassword($username, $password){
    include '../conf/';
    $ldap_Userdn = getUserDN($username);

        $ldap_con = ldap_connect($ldap_hostname,$ldap_port);
        ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);

        if(ldap_bind($ldap_con, $ldap_Userdn, $password)){
                $authenticated = true;
            } else  {
                $authenticated = false;
                define('LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032);
                ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
                ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);

                $auth_error = ldap_error($ldap_con) . '<br />' . ldap_get_option($ldap_con, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);

                echo "<br/><br/>extended_error: " . $extended_error;
                echo "<br/><br/>auth_error: " . $auth_error;

                if ($errno == 532){
                    echo "<br/><br/>-----------Unable to login: Password expired.---------<br/><br/>";
    } else {
        echo "<br/>Error to find user DN";

    return $authenticated;

But when the password is expired, I received always this error:

Error 49 – Invalid credentials

How to solve:

Leave a Reply

Your email address will not be published. Required fields are marked *