Update changelog for (#8525), CS fixes

5 files changed, 19 insertions, 5 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3179b0d4..129966241 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Advanced mail search syntax with more possibilities (without UI) (#8502)
 - Support for HAproxy protocol header in IMAP connections (#8625)
 - Enigma: Support Kolab's Web Of Anti-Trust feature (#8626)
+- Password: Add ldap_samba_ad driver (#8525)
 - Managesieve: Support Sieverules disabled rule format (#8571)
 - Remove use of utf8_encode() and utf8_decode() functions deprecated in PHP 8.2
 - Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
diff --git a/plugins/password/README b/plugins/password/README
index f460cd0b7..a00caafbf 100644
--- a/plugins/password/README
+++ b/plugins/password/README
@@ -52,6 +52,7 @@
  2.1.26. HTTP-API (httpapi)
  2.1.27. dovecot_passwdfile
  2.1.28. Mailcow
+ 2.1.29. LDAP Samba Active Directory (ldap_samba_ad)
  2.2.    Password Strength Drivers
  2.2.1.  Zxcvbn
  2.2.2.  Have I been pwned? (pwned)
@@ -414,10 +415,18 @@
 
  2.1.28 Mailcow
  ---------------------------
+
  Driver to change the password on Mailcow servers.
  See config.inc.php.dist file for configuration description.
 
 
+ 2.1.29. LDAP Samba Active Directory (ldap_samba_ad)
+ ---------------------------------------------------
+
+ Password change via LDAP unicodePwd attribute supported by Active Directory.
+ Uses configuration for other LDAP drivers.
+
+
  2.2. Password Strength Drivers
  ------------------------------
 
diff --git a/plugins/password/composer.json b/plugins/password/composer.json
index fba1cc2f4..725ce7109 100644
--- a/plugins/password/composer.json
+++ b/plugins/password/composer.json
@@ -3,7 +3,7 @@
     "type": "roundcube-plugin",
     "description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.",
     "license": "GPL-3.0-or-later",
-    "version": "5.3",
+    "version": "5.4",
     "authors": [
         {
             "name": "Aleksander Machniak",
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index c38ce7c97..d91f9ae39 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -159,7 +159,7 @@ $config['password_pop_port'] = 106;
 $config['password_saslpasswd_args'] = '';
 
 
-// LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
+// LDAP, LDAP_SIMPLE, LDAP_SAMBA_AD and LDAP_EXOP Driver options
 // -----------------------------------
 // LDAP server name to connect to.
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.
diff --git a/plugins/password/drivers/ldap_samba_ad.php b/plugins/password/drivers/ldap_samba_ad.php
index 85a0c9907..a1979f1d5 100644
--- a/plugins/password/drivers/ldap_samba_ad.php
+++ b/plugins/password/drivers/ldap_samba_ad.php
@@ -38,7 +38,7 @@ class rcube_ldap_samba_ad_password extends rcube_ldap_simple_password
             rcube::raise_error([
                     'code' => 100, 'type' => 'ldap',
                     'file' => __FILE__, 'line' => __LINE__,
-                    'message' => "ldap_mod_replace not supported"
+                    'message' => "ldap_mod_replace() not supported"
                 ],
                 true
             );
@@ -52,10 +52,14 @@ class rcube_ldap_samba_ad_password extends rcube_ldap_simple_password
             return $ret;
         }
 
-        $entry["unicodePwd"] = iconv("UTF-8", "UTF-16LE", '"' . $passwd . '"');
+        $entry = [
+            'unicodePwd' => password::hash_password($passwd, 'ad')
+        ];
+
+        $this->_debug("C: Replace password for {$this->user}: " . print_r($entry, true));
 
         if (!ldap_mod_replace($this->conn, $this->user, $entry)) {
-            $this->_debug("S: ".ldap_error($this->conn));
+            $this->_debug("S: " . ldap_error($this->conn));
 
             $errno = ldap_errno($this->conn);