1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2008
    Posts
    2
    Rep Power
    0
    I got it done finally, but it is not possible with PHP as far as I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.
  2. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2008
    Posts
    1
    Rep Power
    0
    I finally got this to work with the help of this thread. Especially the tutorial on setting up ladp over ssl helped me a lot. The final hurdle for me was that the method to convert the password string used in most examples here didn't work for me. Using mb_convert_encoding did the trick. So here's my complete source code:
    PHP Code:
          ldap_set_option(NULLLDAP_OPT_DEBUG_LEVEL7);
          
    $ldapconn ldap_connect('ldaps://127.0.0.1'636);
          
    ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
          
    ldap_set_option($ldapconnLDAP_OPT_REFERRALS0); 
          
    $ldapuser="ldapuser";
          
    $ldappwd="*****";
          
          
    // search for user
          
    ldap_bind($ldapconn"CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example"$ldappwd);
          
          
    $res_id ldap_search$ldapconn"CN=Users,DC=my,DC=company,DC=example""sAMAccountName=$username");
          if (
    $res_id) {
            
    $entry_id ldap_first_entry($ldapconn$res_id);
            if(
    $entry_id){
              
    $user_dn ldap_get_dn($ldapconn$entry_id);
              if (
    $user_dn) {
                
    $ldapbind ldap_bind($ldapconn$user_dn$oldpassword);
                
    // check if the old password allows a successfull login
                
    if($ldapbind) {
                  if(
    strcmp($newpassword$newpassword2)==0){ 
                    
                    
    // create the unicode password
                    
    $newpassword "\"" $newpassword "\"";
                    
    $newPass mb_convert_encoding($newpassword"UTF-16LE");
                    
                    
    //rebind as admin to change the password
                    
    ldap_bind($ldapconn"CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example"$ldappwd);
                    
                    
    $pwdarr = array('unicodePwd' => $newPass);
                    if(
    ldap_mod_replace ($ldapconn$user_dn$pwdarr)) { 
                      print 
    "<p class='success'>Change password succeded.</p>\n"
                    } else { 
                      print 
    "<p class='error'>Change password failed.</p>\n";
                    }
                  }else{
                    print 
    "<p class='error'>New password must be entered the same way twice.</p>\n";
                  }
                }else{
                  print 
    "<p class='error'>Wrong user name or password.</p>\n";
                }
              } else {
                  print 
    "<p class='error'>Couldn't load user data.</p>\n";
              }
            } else {
                print 
    "<p class='error'>Couldn't find user data.</p>\n";
            }
          } else {
              print 
    "<p class='error'>Username was not found.</p>\n";
          }
          if(
    ldap_error($ldapconn)!="Success"){
            print 
    "<p class='error'>LDAP Error:<br />\n";
            
    var_dump(ldap_error($ldapconn));
            print 
    "</p>\n";
          }
          @
    ldap_close($ldapconn); 
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2009
    Posts
    1
    Rep Power
    0

    Need an helpin' hand


    Hi Guys,

    here's my situation, i've finally got to work to modify a user password with AD administrator account thru ldaps, but as the password is available in clear text in my PHP code, i'd like to get a workaround. Then,

    binding with the user password supplied works fine, but trying to modify/replace unicodePwd attribute just does not work and let me with this error message:

    Code:
    ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access
    if you have any idea on how to figure out why, and how to succeed, here's my source code followed by my configuration:

    PHP Code:
    $uid $user->name;
    $bindDn="CN=$user_cn,OU=People,DC=xxxxx,DC=xxxx";
    $bindPassword $gen_pwd;
    $baseDn 'ou=people,dc=xxxx,dc=xxxxx';
    $protocolVersion 3;

    $ldap ldap_connect('ldaps://ad.myserver.com');
    ldap_set_option($ldapLDAP_OPT_PROTOCOL_VERSION3);
    if (!
    ldap_set_option($ldapLDAP_OPT_PROTOCOL_VERSION$protocolVersion))
    {
        exit(
    'Failed to set protocol version to '.$protocolVersion);
        }
        
    // bind anonymously so that we can verify if the server really is running
        
    ldap_bind($ldap);
        if (
    ldap_errno($ldap) !== 0)
        {
            exit(
    'Could not connect to eSG LDAP server');
        }

    // now bind with the correct username and password

    ldap_bind($ldap$bindDn$bindPassword);
    if (
    ldap_errno($ldap) !== 0)
    {
        exit(
    'ERROR: '.ldap_error($ldap));
        }

        
    $searchResults ldap_search($ldap$baseDn'uid='$uid);
        
    // no matching records
        
    if ($searchResults === false)
        {
            exit(
    'No user found ');
        }

        if (!
    is_resource($searchResults))
        {
            exit(
    'Error in search results.');
            }

            
    /* create the unicode password
                $newpassword = $newPassword;    
            $newpassword = "\"" . $newpassword . "\"";
                    $newPass = mb_convert_encoding($newpassword, "UTF-16LE");
                */

            // password creation 2nd technique
                               
                   
    $newPassword "\"" $newPassword "\""
                   
    $len strlen($newPassword); 
                   for (
    $i 0$i $len$i++) 
                   
    $newPassw .= "{$newPassword{$i}}\000"
                   
    $newPassword $newPassw
                  
    $userdata["unicodePwd"] = $newPassword

        
    $entry ldap_first_entry($ldap$searchResults);
        if (!
    is_resource($entry))
        {
            exit(
    'Couldn\'t get entry');
        }
        
    $userDn ldap_get_dn($ldap$entry);
            echo(
    "<br>");
        
           
    //ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));  
           //ldap_mod_replace($ldap, $userDn , array('unicodePwd' => $newPass));  
           
    ldap_mod_replace($ldap$userDn $userdata); 
    Windows server 2003
    Apache2/PHP 5.2
    LDAPS is on

    Thanks for you help.

    Flo.
    Originally Posted by Clockwatcher
    I got it done finally, but it is not possible with PHP as fars I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.
  4. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    5
    Rep Power
    0

    getting cert from ad to opensuse openssl


    Hi all

    sorted, please ignore

    Many thanks
    uTMY
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0

    AD 2008 rc


    Im wanna to update AD password through web.

    Im using php + apache + openldap + openssl in redhat distro.

    my problem is is get this annoying message when i try to update the unicode attribute - really annoying as i stumble more than a week try to solve this:
    ---> Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform

    In php program :
    1. I got connected to secure AD connection ( im using ldap_connect("ldaps://myad.com") - I also tried with ldap_connect("ldap://myad.com", 389) and use the ldap_start_tls($conn) but give me the same unwilling.
    2. I got bind with AD Administrator user to make sure the binding user has enough privilleges to update other user password.
    3. the password is convert to appopriate AD req. -> unicode + base64

    but yet i got the 'unwilling'.

    In other way - command line in linux console :
    1. I can update the same user password with exact password ( unicode + base64 ) successfully giving me an msg output :
    modifying entry "CN=Userid,CN=Users,DC=com"

    in my ldap.conf ( in default openldap compile installation path - /usr/local/etc/openldap/ldap.conf) the following line :

    TLS_REQCERT never
    TLS_CACERTDIR /usr/local/ssl/certs
    TLS_CACERT /usr/local/ssl/certs/mycert.pem

    why the web complaining the 'unwilling'.

    My current status is by technic i got the php program to update the user password - which is im calling the shell_exec function to execute the shell cmd. Then it works - but i dont really like my short term solution n looking the clean technic for it.

    maybe those who already successfully do this can guide me thru.

    Thanks in Advances
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    5
    Rep Power
    0
    Hi

    Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc.

    The "unwilling ..." is still related to a non-secure connection. Took me ages to work it out.

    rgds

    Originally Posted by hiorie
    Im wanna to update AD password through web.

    Im using php + apache + openldap + openssl in redhat distro.

    my problem is is get this annoying message when i try to update the unicode attribute - really annoying as i stumble more than a week try to solve this:
    ---> Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform

    In php program :
    1. I got connected to secure AD connection ( im using ldap_connect("ldaps://myad.com") - I also tried with ldap_connect("ldap://myad.com", 389) and use the ldap_start_tls($conn) but give me the same unwilling.
    2. I got bind with AD Administrator user to make sure the binding user has enough privilleges to update other user password.
    3. the password is convert to appopriate AD req. -> unicode + base64

    but yet i got the 'unwilling'.

    In other way - command line in linux console :
    1. I can update the same user password with exact password ( unicode + base64 ) successfully giving me an msg output :
    modifying entry "CN=Userid,CN=Users,DC=com"

    in my ldap.conf ( in default openldap compile installation path - /usr/local/etc/openldap/ldap.conf) the following line :

    TLS_REQCERT never
    TLS_CACERTDIR /usr/local/ssl/certs
    TLS_CACERT /usr/local/ssl/certs/mycert.pem

    why the web complaining the 'unwilling'.

    My current status is by technic i got the php program to update the user password - which is im calling the shell_exec function to execute the shell cmd. Then it works - but i dont really like my short term solution n looking the clean technic for it.

    maybe those who already successfully do this can guide me thru.

    Thanks in Advances
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0
    Originally Posted by uTMY
    Hi

    Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc.

    The "unwilling ..." is still related to a non-secure connection. Took me ages to work it out.

    rgds
    Hi There,

    "Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc."

    My apache running with 'daemon' user. Do you mean i need to put ldap.cont in daemon home ? By default apache 2 dont create home dir for daemon user.

    --> do you mind explain more details how you solve it.

    Thanks in advance.
  8. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    5
    Rep Power
    0
    I created this on OpenSuse so it may be different on Redhat.

    /var/lib/wwwrun/.ldaprc

    .ldaprc contains the same content as /etc/ldap.conf

    wwwrun is the Apache users home directory.

    This was the final piece in my jigsaw to solve PHP updating passwords in AD DS and AD LDS.

    rgds
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0

    No Luck


    Originally Posted by uTMY
    I created this on OpenSuse so it may be different on Redhat.

    /var/lib/wwwrun/.ldaprc

    .ldaprc contains the same content as /etc/ldap.conf

    wwwrun is the Apache users home directory.

    This was the final piece in my jigsaw to solve PHP updating passwords in AD DS and AD LDS.

    rgds
    thanks Bro for kindly sharing your experience, i was really excited to see your guide coz it was the step i did not do.

    But doing that still no joy for me .... so irritating. what else that i missed hmmmm.

    But it seem only by web i have problem coz cmd line work fine.
    There is something wrong on my apache with openldap.

    Thanks Bro for the lite !
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    5
    Rep Power
    0
    did you check the rights on .ldaprc?
    rgds
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0
    Originally Posted by uTMY
    did you check the rights on .ldaprc?
    rgds
    yeah i chmod to 755. why the reason we need to put ldaprc in web root ? seem like the apache cannot read the ldap.conf in openldap dir.

    but when i remove the ldap.conf in the openldap dir seem the ldap_connect do read from ldap.conf coz i got the 'Unable to connect' msg.

    thanks in advance.
  12. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0
    Originally Posted by hiorie
    yeah i chmod to 755. why the reason we need to put ldaprc in web root ? seem like the apache cannot read the ldap.conf in openldap dir.

    but when i remove the ldap.conf in the openldap dir seem the ldap_connect do read from ldap.conf coz i got the 'Unable to connect' msg.

    thanks in advance.
    Yeah !!! I got it Bro. Thanx in million for the clue. It was the .ldaprc ... but for me I need to set the SetEnv HOME <webrootpath> in my http.conf and VIOLA ..

    Dude thanks a lot for this relief .. I owe u one good lunch

    Let this long thread forum (years of discussion) help others in future.
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    5
    Rep Power
    0
    Unless you are in the UK its gonna be hard to collect on a lunch but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

    rgds
  14. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    6
    Rep Power
    0

    online lunch


    Originally Posted by uTMY
    Unless you are in the UK its gonna be hard to collect on a lunch but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

    rgds
    haha ... far far away ... but today maybe you already have a great lunch huh bro .... celebrating new Princess of Britain.

    Surely you hint did help me a lot and I sure to others too coz googling give me lots of unsolved AD's php password update discussion. Some give up and use perl and other languages.

    see ya dude. have a nice day.
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2011
    Posts
    1
    Rep Power
    0
    Hi,

    Firstly, excuse my poor english...

    I have the same problem that the firt post of this thread, I explain :

    I try to manage my Windows 2003 Active directory server with php installed on IIS, and modify user's password.

    I have read the thread with a lot of interest. And I've tryed to enable SSL connections to my Active Directory, and install certification. all looks like OK, when I run ldp.exe and try to connect it's ok. In my php, I can connect to ldap://mydomain, but I can't connect to ldaps://mydomain or ldap://mydomain,636.

    I really don't understand why, I've tested all kind of things.

    Should I have to import certificate in my IIS ? I have try that but when I configure my iis website for enable ssl on port 636, it give me an error because the port is already used...

    I hope someone read me and can help me.

    Thanx for your help.

IMN logo majestic logo threadwatch logo seochat tools logo