Using PHP, is it possible to do an LDAP Password Modify Extended Operation, as specified in RFC 3062? The password hashing scheme in the LDAP directory I am working with may change periodically, so it is my understanding that I can't hash a new password according to a specific scheme, e.g., {SHA}, I need to use an Extended Operation instead and let the directory do the hashing. Is that correct? The help page for ldap_set_option suggests that it might be possible, but I sure can't find any example code anywhere on the web. Maybe I'm just losing my Google-fu. TIA

LDAP clients must never transmit pre-encoded passwords to the directory server - passwords must always be transmitted in the clear over a secure connection because modern, professional-quality directory servers can perform password quality checks and password history checks only when presented with a clear-text password.

If PHP supports extended operations and extended responses, then the password modify extended operation (which requires the existing password and can generate a password if no new password is supplied) is supported. I am no PHP expert, but I believe that set_option can be used for controls (which are attached to an operation), but I do not know if PHP supports LDAP extended operations.

Just for anyone stumbling across this question: In PHP > 7.0, it is indeed possible to perform an LDAP Extended Operation. For general Info about ExOps in PHP see the PHP reference.

There is also a function specifically for the password change operation (also taken from the PHP reference):

ldap_exop_passwd($ds, "uid=youruser,ou=People,dc=example,dc=com", "oldpasswd", "secureNewPassword");

Where $ds is an LDAP link identifier, returned by ldap_connect().

If you're handling the encryption of the password on your side, then yes you can hash it to what encryption method you want.

For MD5: $pass_ldap = '{MD5}' . base64_encode(pack('H*', md5($pass)));

For SHA-1: $pass_ldap = '{SHA}' . base64_encode(pack('H*', sha1($pass)));

You would then use ldap_modify to update an existing users password or ldap_add to add a new user with the encrypted password.

I have done this and I think the LDAP server uses the "{}" value to determine what format is being used.