I have access to an Active Directory that enforces a 5 password history restriction. Any password in the last 5 passwords you have, is not a viable candidate to be set or reset as your password.

I am using php and am trying to use ldap calls to reset a user's password. I can reset the password just fine using the ldap_modify call. Unfortunately though, ldap_modify does not care at all about the Active Directory's password history rule, and it will reset the password to anything you choose with no warnings or errors.

Is there any way have ldap respect this restriction?

I have researched this for some time, but have not found any solid solution. Any hints or comments are much appreciated!

The directory server should return a non-zero result code in the MODIFY response if the MODIFY fails for any reason. In the event of an attribute constraint violation (for example, a password that is in history, or insufficient time has passed since the last password change, or any other attribute constraint violation) the directory server must return the integer result code for a constraint violation (19).

The LDAP protocol has no knowledge of how server implementations deal with password policies. An LDAP client must use the result code as described above to make a determination of whether an LDAP request succeeded. That is, the LDAP client is isolated from server implementations.

Whether a user entry is subject to a password policy - or any other attribute constraint determination - is up to server, not the protocol. If the MODIFY request succeeds even though the client expects it to fail, the problem lies on the server side or with the constraints of the password policy.

Recently I faced this same question and found this post. Apparently, a password modification is considered to be an administrative password reset and you must specify additional options for the AD to apply its rules.

According to the post, the control must be available on the server. It's present in Windows Server 2008 R2 Service Pack 1 and can be installed in 2008 R2 using this hotfix: http://support.microsoft.com/?id=2386717

Then you configure the options before issuing the modify command on your php code:

$ctrl1 = array(
    // LDAP_SERVER_POLICY_HINTS_OID for Windows 2012 and above
    "oid" => "1.2.840.113556.1.4.2239",
    "value" => sprintf("%c%c%c%c%c", 48, 3, 2, 1, 1));

$ctrl2 = array(
    // LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID for Windows 2008 R2 SP1 and above
    "oid" => "1.2.840.113556.1.4.2066",
    "value" => sprintf("%c%c%c%c%c", 48, 3, 2, 1, 1));

if (!ldap_set_option($ds, LDAP_OPT_SERVER_CONTROLS, array($ctrl1, $ctrl2))) {
    error_log("ERROR: Failed to set server controls");
}

$result = ldap_mod_replace($ds, $dn, $entry);

Many thanks to the post author bmaupin (couldnt find his/her name). I decided to answer the question since I landed here while searching for the solution to the same problem.