How to modify the "cn" and "name" attributes in Active Directory via PHP LDAP class

Question

I am trying to change the Active directory information using a PHP script.

I as able to change all the attributes that I need except the "cn" and the "name" attributes.

When I tried changing them I got an error "Server is unwilling to perform"

Warning: ldap_modify(): Modify: Server is unwilling to perform

Also when I try to change the password, it does not work. I don't get any error/warnings but it does not change the password. (as you can see I am trying to change the password to Mike@1234567. the update works as I am able to see the new value but it does not change the user password. (ie, the new userPassword value is {SHA}i9Ai8Y8xRGcXEd3mpZ4x6JhHkWM=)

The following is the function I am using to make the modification to the entries

function userchange($username, $firstName, $lastName, $domadlogin, $domadpw, $domctrl, $enable=1, $ldapBase = 'DC=domain,DC=com', $new_status = 512, $password = 'Mike@1234567'){

    $ds = ldap_connect($domctrl);
    if (!$ds)
        die('Cannot Connect to LDAP server');

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $ldapBind = ldap_bind($ds,$domadlogin,$domadpw);

    if (!$ldapBind)
        die('Cannot Bind to LDAP server');

    $sr = ldap_search($ds, $ldapBase, '(samaccountname='.$username.')');
    $ent= ldap_get_entries($ds,$sr);

    $dn=$ent[0]["dn"];

    $userdata=array();

    $new = 514; //disable?

    if ($enable == 1) 
        $new = $new_status;


    //change the user status
    $userdata["useraccountcontrol"] = $new;

    $userdata["cn"] = $firstName.' '.$lastName;
    $userdata['name'] = $firstName.' '.$lastName;

    $userdata['displayname'] = $firstName.' '.$lastName;
    $userdata['givenname'] = $firstName;
    $userdata['sn'] = $lastName;

    $update_ldap = ldap_modify($ds, $dn, $userdata); 

        if(!$update_ldap)
            return false;

    $sr = ldap_search($ds, $ldapBase, '(samaccountname='.$username.')');
    $ent= ldap_get_entries($ds,$sr);
    $new_first_ent = ldap_first_entry($ds,$sr);

    if(!empty($password)){

        $encode_password = "{SHA}" . base64_encode( pack( "H*", sha1( $password ) ) );
        $newEntry['userpassword'] = "$encode_password";
        $update_ldap = ldap_mod_replace($ds, $dn, $newEntry );

        if(!$update_ldap)
            return false;

    }

    ldap_close($ds);
    return true;
}   

Answer 1

First, when you want to modify the attributes used to build the distinguish name (DN) you modify the so called Relative Distinguished Name (RDN). On the LDAP point of view you have to use a special verb for that (modRDN), this means that you should use a special API in PHP. PHP is not my environment, but I suppose that ldap_rename, will do the trick.

Second, As far Active-directory is concerned the password is not in 'userpassword' but in 'unicodePwd', you've got an example in this other Stckoverflow question. And, be carefull, you need to use LDAPS to set 'unicodePwd'. You can also have a look in Changing Active Directory passwords via LDAP using PHP.