Page 4 of 12 First ... 23456 ... Last
  • Jump to page:
    #46
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    An Active Directory server is a domain controller running Windows 2000 Server or greater. Windows XP is not a server operating system and therefore cannot serve an Active Directory domain structure.

    As an MCSE, I can help you setup Active Directory if you have a machine running Windows 2000 Server...
  2. #47
  3. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Hmm in that case maybe my sysadmin at work could help me out, I'm on a Windows Networks I do believe running Windows 2003 server would that work?
  4. #48
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    Yes, Windows Server 2003 will run Active Directory, except Web Edition (but of course, it can be a member of an Active Directory domain). All other editions (Standard, Enterprise, SBS) will run it.

    I doubt any system administrator will allow an employee to toy with the Active Directory infrastructure. It's a big deal. You can get an evaluation version of Windows Sever 2003 from Microsoft for free (download), though.

    As I mentioned, I will be glad to help you with Active Directory (email, messanger), but I think we should keep is out of this thread since it will be off topic...
    Last edited by MatthewClark; June 21st, 2004 at 11:09 AM.
  6. #49
  7. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Ok I just got the info I need to connect to it, I of course only can edit my own info and a test account but should be usefull enough.

    Originally Posted by matthewclark
    I doubt any system administrator will allow an employee to toy with the Active Directory infrastructure.
    Normally no but I work with the guy we are friends. I'm the progammer he's the admin so we work on differnt things when needed.

    I'll let you konw if I fine anything out
  8. #50
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    I think the only problem we have is encoding the password correctly. We have done EVERYTHING ELSE correctly (certificates, ports, etc). I wonder if this will work:

    PHP Code:
    $newPassword "MyPassword";
    $newPassword "\"" $newPassword "\"";
    $len strlen($newPassword);

    for (
    $i 0$i $len$i++)
    {
           
    $newPassw .= "{$newPassword{$i}}\000";
    }

    $userdata["unicodepwd"] = $newPassw;

    $result ldap_mod_replace($ad$userDn$userdata); 
    I will try it after work unless someone else tries it first...
  10. #51
  11. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Originally Posted by MatthewClark
    I think the only problem we have is encoding the password correctly.
    excatly what I'll be trying out
  12. #52
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    Here's a little more info, in case it helps anyone:

    The syntax of the unicodePwd attribute is octet-string; however, the directory service expects that the octet-string will contain a UNICODE string (as the name of the attribute indicates). This means that any values for this attribute passed in LDAP must be UNICODE strings that are BER-encoded (Basic Encoding Rules) as an octet-string. In addition, the UNICODE string must begin and end in quotes that are not part of the desired password.

    There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

    The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.

    It would be easier to use the second meathod, so when you are playing with this make sure the user you are using to open the LDAP connection is a member of the Administrators, Domain Admins, or Schema Admins group.
    Last edited by MatthewClark; June 21st, 2004 at 11:59 AM.
  14. #53
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    Oh, this tool may be useful in checking your work. Usage: stringconverter \"New_Password\" /encode /unicode
    Attached Files
  16. #54
  17. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    I sent an email to someone who posted on PHP.net on how to write to the unicodePwd (which I posted here Modifying Active Directory passwords through PHP and IIS), asking if it really worked. Anyway, here's the email:

    Matthew Clark wrote:

    > Hi! I am a PHP developer, and one thing that has a LOT of people

    > stumped is modifying the unicodePwd field in Active Directory.

    > There's a huge thread going on DevShed:

    >
    http://forums.devshed.com/showthread.php?p=685700

    >

    > Anyway, you posted a potential solution on PHP.net:

    >
    http://www.php.net/manual/en/function.ldap-mod-replace.php, and what I

    > wanted to ask was does it work? Yeah, I suppose that's a stupid

    > question, but I am at work right now and can't play with it until

    > later, so I figured I'd just ask.

    Hi!

    Yes it does work but I must admit I had to search alot to find a solution as the information given on the msdn site concerning the encoding seem false... quite strange...

    > All of us who are participating in the thread above have tried all

    > sorts of things, but no dice. I think we have everything correct

    > except the encoding, which seems to be a mystery.

    Yes that was also the main problem I had... Luckily, the solution I posted on php.net works perfectly for me.

    > Join the thread if you can! Or at least reply with your thoughts...

    I'll try to join the thread tomorrow and see if I can give additional help on this problem.

    Frédéric Jacquot

  18. #55
  19. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    I've been trying that don't think I have the permission level lets see if I can get a test account with higher access
  20. #56
  21. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    I will try it here pretty soon, and will report my results...
  22. #57
  23. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    How are you logging into ldap? With SSL right? What excatly are you using? Because right now I think that's my problem, if I try port 636 it doesn't connect (with PHP but with ldapAdmin it connects fine) is there a certificate I have to add?
  24. #58
  25. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    I hope this is what you mean...

    PHP Code:
     
    $connection 
    ldap_connect('ldap://united-rs1.divergent-systems.local/'3269) or die('Unable to connect to the Active Directory</pre>');
      
    ldap_set_option($connectionLDAP_OPT_PROTOCOL_VERSION3) or die('<pre>Unable to set LDAP Protocol version</pre>');
      
    $binding ldap_bind($connection'php.admin@divergent-systems.local''MyPassword') or die('Unable to bind to Active Directory</pre>'); 
    I use TCP port 3269 because it is a Global Catalog server.
  26. #59
  27. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    San Angelo, Texas (USA)
    Posts
    286
    Rep Power
    13
    But I don't use "LDAPS://". If I do, I am unable to connect.

    I do, however, specify the port number...
  28. #60
  29. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Huh intresting if I don't put ldap:// before it, it can't even find the server on that port, but once I do I can bind in on ANY port which is odd but at least I can bind on those ports.

    Ya ldaps:// doesn't work here either
    Last edited by Viper_SB; June 21st, 2004 at 05:54 PM.
Page 4 of 12 First ... 23456 ... Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo