Page 11 - Modifying Active Directory passwords through PHP and IIS

Dev Shed Forums Sponsor:

#151

February 26th, 2008, 08:10 AM

Clockwatcher

Registered User

Join Date: Jan 2008

Posts: 2

Time spent in forums: 1 h 27 m 27 sec
Reputation Power: 0

I got it done finally, but it is not possible with PHP as far as I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

#152

October 30th, 2008, 03:16 AM

hd42

Registered User

Join Date: Oct 2008

Posts: 1

Time spent in forums: 11 m 10 sec
Reputation Power: 0

I finally got this to work with the help of this thread. Especially the tutorial on setting up ladp over ssl helped me a lot. The final hurdle for me was that the method to convert the password string used in most examples here didn't work for me. Using mb_convert_encoding did the trick. So here's my complete source code:

PHP Code:


		
			
 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

      $ldapconn = ldap_connect('ldaps://127.0.0.1', 636);

      ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

      ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); 

      $ldapuser="ldapuser";

      $ldappwd="*****";

      

      // search for user

      ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);

      

      $res_id = ldap_search( $ldapconn, "CN=Users,DC=my,DC=company,DC=example", "sAMAccountName=$username");

      if ($res_id) {

        $entry_id = ldap_first_entry($ldapconn, $res_id);

        if($entry_id){

          $user_dn = ldap_get_dn($ldapconn, $entry_id);

          if ($user_dn) {

            $ldapbind = ldap_bind($ldapconn, $user_dn, $oldpassword);

            // check if the old password allows a successfull login

            if($ldapbind) {

              if(strcmp($newpassword, $newpassword2)==0){ 

                

                // create the unicode password

                $newpassword = "\"" . $newpassword . "\"";

                $newPass = mb_convert_encoding($newpassword, "UTF-16LE");

                

                //rebind as admin to change the password

                ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);

                

                $pwdarr = array('unicodePwd' => $newPass);

                if(ldap_mod_replace ($ldapconn, $user_dn, $pwdarr)) { 

                  print "<p class='success'>Change password succeded.</p>\n"; 

                } else { 

                  print "<p class='error'>Change password failed.</p>\n";

                }

              }else{

                print "<p class='error'>New password must be entered the same way twice.</p>\n";

              }

            }else{

              print "<p class='error'>Wrong user name or password.</p>\n";

            }

          } else {

              print "<p class='error'>Couldn't load user data.</p>\n";

          }

        } else {

            print "<p class='error'>Couldn't find user data.</p>\n";

        }

      } else {

          print "<p class='error'>Username was not found.</p>\n";

      }

      if(ldap_error($ldapconn)!="Success"){

        print "<p class='error'>LDAP Error:<br />\n";

        var_dump(ldap_error($ldapconn));

        print "</p>\n";

      }

      @ldap_close($ldapconn);

#153

July 9th, 2009, 01:00 PM

fleduc

Registered User

Join Date: Jul 2009

Posts: 1

Time spent in forums: 24 m 10 sec
Reputation Power: 0

Need an helpin' hand

Hi Guys,

here's my situation, i've finally got to work to modify a user password with AD administrator account thru ldaps, but as the password is available in clear text in my PHP code, i'd like to get a workaround. Then,

binding with the user password supplied works fine, but trying to modify/replace unicodePwd attribute just does not work and let me with this error message:

Code:

ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access

if you have any idea on how to figure out why, and how to succeed, here's my source code followed by my configuration:

PHP Code:


		
			
 $uid = $user->name;

$bindDn="CN=$user_cn,OU=People,DC=xxxxx,DC=xxxx";

$bindPassword = $gen_pwd;

$baseDn = 'ou=people,dc=xxxx,dc=xxxxx';

$protocolVersion = 3;



$ldap = ldap_connect('ldaps://ad.myserver.com');

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $protocolVersion))

{

    exit('Failed to set protocol version to '.$protocolVersion);

    }

    // bind anonymously so that we can verify if the server really is running

    ldap_bind($ldap);

    if (ldap_errno($ldap) !== 0)

    {

        exit('Could not connect to eSG LDAP server');

    }



// now bind with the correct username and password



ldap_bind($ldap, $bindDn, $bindPassword);

if (ldap_errno($ldap) !== 0)

{

    exit('ERROR: '.ldap_error($ldap));

    }



    $searchResults = ldap_search($ldap, $baseDn, 'uid='. $uid);

    // no matching records

    if ($searchResults === false)

    {

        exit('No user found ');

    }



    if (!is_resource($searchResults))

    {

        exit('Error in search results.');

        }



        /* create the unicode password

            $newpassword = $newPassword;    

        $newpassword = "\"" . $newpassword . "\"";

                $newPass = mb_convert_encoding($newpassword, "UTF-16LE");

            */



        // password creation 2nd technique

                           

               $newPassword = "\"" . $newPassword . "\""; 

               $len = strlen($newPassword); 

               for ($i = 0; $i < $len; $i++) 

               $newPassw .= "{$newPassword{$i}}\000"; 

               $newPassword = $newPassw; 

              $userdata["unicodePwd"] = $newPassword; 



    $entry = ldap_first_entry($ldap, $searchResults);

    if (!is_resource($entry))

    {

        exit('Couldn\'t get entry');

    }

    $userDn = ldap_get_dn($ldap, $entry);

        echo("<br>");

    

       //ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));  

       //ldap_mod_replace($ldap, $userDn , array('unicodePwd' => $newPass));  

       ldap_mod_replace($ldap, $userDn , $userdata);

Windows server 2003
Apache2/PHP 5.2
LDAPS is on

Thanks for you help.

Flo.

Quote:

Originally Posted by Clockwatcher

I got it done finally, but it is not possible with PHP as fars I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

#154

April 1st, 2011, 07:27 AM

uTMY

Registered User

Join Date: Apr 2011

Posts: 5

Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0

getting cert from ad to opensuse openssl

Hi all

sorted, please ignore

Many thanks
uTMY

#155

April 27th, 2011, 01:57 AM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

AD 2008 rc

Im wanna to update AD password through web.

Im using php + apache + openldap + openssl in redhat distro.

my problem is is get this annoying message when i try to update the unicode attribute - really annoying as i stumble more than a week try to solve this:
---> Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform

In php program :
1. I got connected to secure AD connection ( im using ldap_connect("ldaps://myad.com") - I also tried with ldap_connect("ldap://myad.com", 389) and use the ldap_start_tls($conn) but give me the same unwilling.
2. I got bind with AD Administrator user to make sure the binding user has enough privilleges to update other user password.
3. the password is convert to appopriate AD req. -> unicode + base64

but yet i got the 'unwilling'.

In other way - command line in linux console :
1. I can update the same user password with exact password ( unicode + base64 ) successfully giving me an msg output :
modifying entry "CN=Userid,CN=Users,DC=com"

in my ldap.conf ( in default openldap compile installation path - /usr/local/etc/openldap/ldap.conf) the following line :

TLS_REQCERT never
TLS_CACERTDIR /usr/local/ssl/certs
TLS_CACERT /usr/local/ssl/certs/mycert.pem

why the web complaining the 'unwilling'.

My current status is by technic i got the php program to update the user password - which is im calling the shell_exec function to execute the shell cmd. Then it works - but i dont really like my short term solution n looking the clean technic for it.

maybe those who already successfully do this can guide me thru.

Thanks in Advances

#156

April 27th, 2011, 03:03 AM

uTMY

Registered User

Join Date: Apr 2011

Posts: 5

Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0

Hi

Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc.

The "unwilling ..." is still related to a non-secure connection. Took me ages to work it out.

rgds

Quote:

Originally Posted by hiorie

#157

April 27th, 2011, 04:35 AM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

Quote:

Originally Posted by uTMY

Hi There,

"Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc."

My apache running with 'daemon' user. Do you mean i need to put ldap.cont in daemon home ? By default apache 2 dont create home dir for daemon user.

--> do you mind explain more details how you solve it.

Thanks in advance.

#158

April 27th, 2011, 05:51 AM

uTMY

Registered User

Join Date: Apr 2011

Posts: 5

Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0

I created this on OpenSuse so it may be different on Redhat.

/var/lib/wwwrun/.ldaprc

.ldaprc contains the same content as /etc/ldap.conf

wwwrun is the Apache users home directory.

This was the final piece in my jigsaw to solve PHP updating passwords in AD DS and AD LDS.

rgds

#159

April 27th, 2011, 09:42 PM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

No Luck

Quote:

Originally Posted by uTMY

thanks Bro for kindly sharing your experience, i was really excited to see your guide coz it was the step i did not do.

But doing that still no joy for me .... so irritating. what else that i missed hmmmm.

But it seem only by web i have problem coz cmd line work fine.
There is something wrong on my apache with openldap.

Thanks Bro for the lite !

#160

April 28th, 2011, 02:35 AM

uTMY

Registered User

Join Date: Apr 2011

Posts: 5

Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0

did you check the rights on .ldaprc?
rgds

#161

April 28th, 2011, 08:14 PM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

Quote:

Originally Posted by uTMY

did you check the rights on .ldaprc?
rgds

yeah i chmod to 755. why the reason we need to put ldaprc in web root ? seem like the apache cannot read the ldap.conf in openldap dir.

but when i remove the ldap.conf in the openldap dir seem the ldap_connect do read from ldap.conf coz i got the 'Unable to connect' msg.

thanks in advance.

#162

April 29th, 2011, 02:45 AM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

Quote:

Originally Posted by hiorie

Yeah !!! I got it Bro. Thanx in million for the clue. It was the .ldaprc ... but for me I need to set the SetEnv HOME <webrootpath> in my http.conf and VIOLA ..

Dude thanks a lot for this relief .. I owe u one good lunch

Let this long thread forum (years of discussion) help others in future.

#163

April 29th, 2011, 06:57 AM

uTMY

Registered User

Join Date: Apr 2011

Posts: 5

Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0

Unless you are in the UK its gonna be hard to collect on a lunch

but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

rgds

#164

April 29th, 2011, 10:59 AM

hiorie

Registered User

Join Date: Apr 2011

Posts: 6

Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0

online lunch

Quote:

Originally Posted by uTMY

Unless you are in the UK its gonna be hard to collect on a lunch

but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

rgds

haha ... far far away ... but today maybe you already have a great lunch huh bro .... celebrating new Princess of Britain.

Surely you hint did help me a lot and I sure to others too coz googling give me lots of unsolved AD's php password update discussion. Some give up and use perl and other languages.

see ya dude. have a nice day.

#165

October 26th, 2011, 03:18 PM

ArtMent

Registered User

Join Date: Oct 2011

Posts: 1

Time spent in forums: 14 m 28 sec
Reputation Power: 0

Hi,

Firstly, excuse my poor english...

I have the same problem that the firt post of this thread, I explain :

I try to manage my Windows 2003 Active directory server with php installed on IIS, and modify user's password.

I have read the thread with a lot of interest. And I've tryed to enable SSL connections to my Active Directory, and install certification. all looks like OK, when I run ldp.exe and try to connect it's ok. In my php, I can connect to ldap://mydomain, but I can't connect to ldaps://mydomain or ldap://mydomain,636.

I really don't understand why, I've tested all kind of things.

Should I have to import certificate in my IIS ? I have try that but when I configure my iis website for enable ssl on port 636, it give me an error because the port is already used...

I hope someone read me and can help me.

Thanx for your help.

Page 11 - Modifying Active Directory passwords through PHP and IIS

Developer Shed Advertisers and Affiliates