What are the bare minimum rights you need to change an other persons LDAP password?. I'm working on a tool that allows a user to change his password. as the tool needs to be written in PHP the only problem is that you can't use a user account to change the password. to work around this we want to use an manger/admin account that can only change the passwords of all the other users.
now the problem. we could not find the right rights to set so that the account was allowed to change the passwords. the only way it worked for us was if we made him domain-admin and that is something we don't want. So what are the minimum rights that some one needs to change a other person password with PHP?
EDIT:
Changed the title to fit the question better.
Best Answer
Apache has a suexec module, which allows the spawning of threads as separate users, but I don't think that's the simplest solution.
Instead, why not just login to the ldap server as the user, using the user's password and the user's new password at the same time. You should be able to just use ldappasswd (or the PHP equivalent) to do this.
The man page for ldappasswd and a google search for "php ldappasswd" should find you everything you're looking for.
EDIT: LDAP servers have only one administrative user AFAIK, the root_dn, which can modify everything, including other user's passwords. I imagine you don't have the root_dn's login details though, unless you manage the ldap server yourself.