LDAP Programming
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me

The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.

Go Back   Dev Shed ForumsDatabasesLDAP Programming

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rating: Thread Rating: 10 votes, 5.00 average. Display Modes
 
Unread Dev Shed Forums Sponsor:
  #151  
Old February 26th, 2008, 08:10 AM
Clockwatcher Clockwatcher is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2008
Posts: 2 Clockwatcher User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 27 m 27 sec
Reputation Power: 0
I got it done finally, but it is not possible with PHP as far as I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

Reply With Quote
  #152  
Old October 30th, 2008, 03:16 AM
hd42 hd42 is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Oct 2008
Posts: 1 hd42 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 11 m 10 sec
Reputation Power: 0
I finally got this to work with the help of this thread. Especially the tutorial on setting up ladp over ssl helped me a lot. The final hurdle for me was that the method to convert the password string used in most examples here didn't work for me. Using mb_convert_encoding did the trick. So here's my complete source code:
PHP Code:
 ldap_set_option(NULLLDAP_OPT_DEBUG_LEVEL7);
      
$ldapconn ldap_connect('ldaps://127.0.0.1'636);
      
ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
      
ldap_set_option($ldapconnLDAP_OPT_REFERRALS0); 
      
$ldapuser="ldapuser";
      
$ldappwd="*****";
      
      
// search for user
      
ldap_bind($ldapconn"CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example"$ldappwd);
      
      
$res_id ldap_search$ldapconn"CN=Users,DC=my,DC=company,DC=example""sAMAccountName=$username");
      if (
$res_id) {
        
$entry_id ldap_first_entry($ldapconn$res_id);
        if(
$entry_id){
          
$user_dn ldap_get_dn($ldapconn$entry_id);
          if (
$user_dn) {
            
$ldapbind ldap_bind($ldapconn$user_dn$oldpassword);
            
// check if the old password allows a successfull login
            
if($ldapbind) {
              if(
strcmp($newpassword$newpassword2)==0){ 
                
                
// create the unicode password
                
$newpassword "\"" $newpassword "\"";
                
$newPass mb_convert_encoding($newpassword"UTF-16LE");
                
                
//rebind as admin to change the password
                
ldap_bind($ldapconn"CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example"$ldappwd);
                
                
$pwdarr = array('unicodePwd' => $newPass);
                if(
ldap_mod_replace ($ldapconn$user_dn$pwdarr)) { 
                  print 
"<p class='success'>Change password succeded.</p>\n"
                } else { 
                  print 
"<p class='error'>Change password failed.</p>\n";
                }
              }else{
                print 
"<p class='error'>New password must be entered the same way twice.</p>\n";
              }
            }else{
              print 
"<p class='error'>Wrong user name or password.</p>\n";
            }
          } else {
              print 
"<p class='error'>Couldn't load user data.</p>\n";
          }
        } else {
            print 
"<p class='error'>Couldn't find user data.</p>\n";
        }
      } else {
          print 
"<p class='error'>Username was not found.</p>\n";
      }
      if(
ldap_error($ldapconn)!="Success"){
        print 
"<p class='error'>LDAP Error:<br />\n";
        
var_dump(ldap_error($ldapconn));
        print 
"</p>\n";
      }
      @
ldap_close($ldapconn); 

Reply With Quote
  #153  
Old July 9th, 2009, 01:00 PM
fleduc fleduc is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jul 2009
Posts: 1 fleduc User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 24 m 10 sec
Reputation Power: 0
Need an helpin' hand

Hi Guys,

here's my situation, i've finally got to work to modify a user password with AD administrator account thru ldaps, but as the password is available in clear text in my PHP code, i'd like to get a workaround. Then,

binding with the user password supplied works fine, but trying to modify/replace unicodePwd attribute just does not work and let me with this error message:

Code:
ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access


if you have any idea on how to figure out why, and how to succeed, here's my source code followed by my configuration:

PHP Code:
 $uid $user->name;
$bindDn="CN=$user_cn,OU=People,DC=xxxxx,DC=xxxx";
$bindPassword $gen_pwd;
$baseDn 'ou=people,dc=xxxx,dc=xxxxx';
$protocolVersion 3;

$ldap ldap_connect('ldaps://ad.myserver.com');
ldap_set_option($ldapLDAP_OPT_PROTOCOL_VERSION3);
if (!
ldap_set_option($ldapLDAP_OPT_PROTOCOL_VERSION$protocolVersion))
{
    exit(
'Failed to set protocol version to '.$protocolVersion);
    }
    
// bind anonymously so that we can verify if the server really is running
    
ldap_bind($ldap);
    if (
ldap_errno($ldap) !== 0)
    {
        exit(
'Could not connect to eSG LDAP server');
    }

// now bind with the correct username and password

ldap_bind($ldap$bindDn$bindPassword);
if (
ldap_errno($ldap) !== 0)
{
    exit(
'ERROR: '.ldap_error($ldap));
    }

    
$searchResults ldap_search($ldap$baseDn'uid='$uid);
    
// no matching records
    
if ($searchResults === false)
    {
        exit(
'No user found ');
    }

    if (!
is_resource($searchResults))
    {
        exit(
'Error in search results.');
        }

        
/* create the unicode password
            $newpassword = $newPassword;    
        $newpassword = "\"" . $newpassword . "\"";
                $newPass = mb_convert_encoding($newpassword, "UTF-16LE");
            */

        // password creation 2nd technique
                           
               
$newPassword "\"" $newPassword "\""
               
$len strlen($newPassword); 
               for (
$i 0$i $len$i++) 
               
$newPassw .= "{$newPassword{$i}}\000"
               
$newPassword $newPassw
              
$userdata["unicodePwd"] = $newPassword

    
$entry ldap_first_entry($ldap$searchResults);
    if (!
is_resource($entry))
    {
        exit(
'Couldn\'t get entry');
    }
    
$userDn ldap_get_dn($ldap$entry);
        echo(
"<br>");
    
       
//ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));  
       //ldap_mod_replace($ldap, $userDn , array('unicodePwd' => $newPass));  
       
ldap_mod_replace($ldap$userDn $userdata); 


Windows server 2003
Apache2/PHP 5.2
LDAPS is on

Thanks for you help.

Flo.
Quote:
Originally Posted by Clockwatcher
I got it done finally, but it is not possible with PHP as fars I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

Reply With Quote
  #154  
Old April 1st, 2011, 07:27 AM
uTMY uTMY is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 5 uTMY User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0
getting cert from ad to opensuse openssl

Hi all

sorted, please ignore

Many thanks
uTMY

Reply With Quote
  #155  
Old April 27th, 2011, 01:57 AM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
AD 2008 rc

Im wanna to update AD password through web.

Im using php + apache + openldap + openssl in redhat distro.

my problem is is get this annoying message when i try to update the unicode attribute - really annoying as i stumble more than a week try to solve this:
---> Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform

In php program :
1. I got connected to secure AD connection ( im using ldap_connect("ldaps://myad.com") - I also tried with ldap_connect("ldap://myad.com", 389) and use the ldap_start_tls($conn) but give me the same unwilling.
2. I got bind with AD Administrator user to make sure the binding user has enough privilleges to update other user password.
3. the password is convert to appopriate AD req. -> unicode + base64

but yet i got the 'unwilling'.

In other way - command line in linux console :
1. I can update the same user password with exact password ( unicode + base64 ) successfully giving me an msg output :
modifying entry "CN=Userid,CN=Users,DC=com"

in my ldap.conf ( in default openldap compile installation path - /usr/local/etc/openldap/ldap.conf) the following line :

TLS_REQCERT never
TLS_CACERTDIR /usr/local/ssl/certs
TLS_CACERT /usr/local/ssl/certs/mycert.pem

why the web complaining the 'unwilling'.

My current status is by technic i got the php program to update the user password - which is im calling the shell_exec function to execute the shell cmd. Then it works - but i dont really like my short term solution n looking the clean technic for it.

maybe those who already successfully do this can guide me thru.

Thanks in Advances

Reply With Quote
  #156  
Old April 27th, 2011, 03:03 AM
uTMY uTMY is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 5 uTMY User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0
Hi

Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc.

The "unwilling ..." is still related to a non-secure connection. Took me ages to work it out.

rgds

Quote:
Originally Posted by hiorie
Im wanna to update AD password through web.

Im using php + apache + openldap + openssl in redhat distro.

my problem is is get this annoying message when i try to update the unicode attribute - really annoying as i stumble more than a week try to solve this:
---> Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform

In php program :
1. I got connected to secure AD connection ( im using ldap_connect("ldaps://myad.com") - I also tried with ldap_connect("ldap://myad.com", 389) and use the ldap_start_tls($conn) but give me the same unwilling.
2. I got bind with AD Administrator user to make sure the binding user has enough privilleges to update other user password.
3. the password is convert to appopriate AD req. -> unicode + base64

but yet i got the 'unwilling'.

In other way - command line in linux console :
1. I can update the same user password with exact password ( unicode + base64 ) successfully giving me an msg output :
modifying entry "CN=Userid,CN=Users,DC=com"

in my ldap.conf ( in default openldap compile installation path - /usr/local/etc/openldap/ldap.conf) the following line :

TLS_REQCERT never
TLS_CACERTDIR /usr/local/ssl/certs
TLS_CACERT /usr/local/ssl/certs/mycert.pem

why the web complaining the 'unwilling'.

My current status is by technic i got the php program to update the user password - which is im calling the shell_exec function to execute the shell cmd. Then it works - but i dont really like my short term solution n looking the clean technic for it.

maybe those who already successfully do this can guide me thru.

Thanks in Advances

Reply With Quote
  #157  
Old April 27th, 2011, 04:35 AM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
Quote:
Originally Posted by uTMY
Hi

Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc.

The "unwilling ..." is still related to a non-secure connection. Took me ages to work it out.

rgds


Hi There,

"Apache needs the same directives as PHP in its users home directory, same filename (ldap.conf) same contents regarding the cert etc."

My apache running with 'daemon' user. Do you mean i need to put ldap.cont in daemon home ? By default apache 2 dont create home dir for daemon user.

--> do you mind explain more details how you solve it.

Thanks in advance.

Reply With Quote
  #158  
Old April 27th, 2011, 05:51 AM
uTMY uTMY is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 5 uTMY User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0
I created this on OpenSuse so it may be different on Redhat.

/var/lib/wwwrun/.ldaprc

.ldaprc contains the same content as /etc/ldap.conf

wwwrun is the Apache users home directory.

This was the final piece in my jigsaw to solve PHP updating passwords in AD DS and AD LDS.

rgds

Reply With Quote
  #159  
Old April 27th, 2011, 09:42 PM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
No Luck

Quote:
Originally Posted by uTMY
I created this on OpenSuse so it may be different on Redhat.

/var/lib/wwwrun/.ldaprc

.ldaprc contains the same content as /etc/ldap.conf

wwwrun is the Apache users home directory.

This was the final piece in my jigsaw to solve PHP updating passwords in AD DS and AD LDS.

rgds


thanks Bro for kindly sharing your experience, i was really excited to see your guide coz it was the step i did not do.

But doing that still no joy for me .... so irritating. what else that i missed hmmmm.

But it seem only by web i have problem coz cmd line work fine.
There is something wrong on my apache with openldap.

Thanks Bro for the lite !

Reply With Quote
  #160  
Old April 28th, 2011, 02:35 AM
uTMY uTMY is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 5 uTMY User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0
did you check the rights on .ldaprc?
rgds

Reply With Quote
  #161  
Old April 28th, 2011, 08:14 PM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
Quote:
Originally Posted by uTMY
did you check the rights on .ldaprc?
rgds


yeah i chmod to 755. why the reason we need to put ldaprc in web root ? seem like the apache cannot read the ldap.conf in openldap dir.

but when i remove the ldap.conf in the openldap dir seem the ldap_connect do read from ldap.conf coz i got the 'Unable to connect' msg.

thanks in advance.

Reply With Quote
  #162  
Old April 29th, 2011, 02:45 AM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
Quote:
Originally Posted by hiorie
yeah i chmod to 755. why the reason we need to put ldaprc in web root ? seem like the apache cannot read the ldap.conf in openldap dir.

but when i remove the ldap.conf in the openldap dir seem the ldap_connect do read from ldap.conf coz i got the 'Unable to connect' msg.

thanks in advance.


Yeah !!! I got it Bro. Thanx in million for the clue. It was the .ldaprc ... but for me I need to set the SetEnv HOME <webrootpath> in my http.conf and VIOLA ..

Dude thanks a lot for this relief .. I owe u one good lunch

Let this long thread forum (years of discussion) help others in future.

Reply With Quote
  #163  
Old April 29th, 2011, 06:57 AM
uTMY uTMY is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 5 uTMY User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 19 m 59 sec
Reputation Power: 0
Unless you are in the UK its gonna be hard to collect on a lunch but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

rgds

Reply With Quote
  #164  
Old April 29th, 2011, 10:59 AM
hiorie hiorie is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Apr 2011
Posts: 6 hiorie User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 1 h 22 m 43 sec
Reputation Power: 0
online lunch

Quote:
Originally Posted by uTMY
Unless you are in the UK its gonna be hard to collect on a lunch but you are more than welcome for the pointer, glad it helped, certainly had me scratching my head for a few days.

rgds


haha ... far far away ... but today maybe you already have a great lunch huh bro .... celebrating new Princess of Britain.

Surely you hint did help me a lot and I sure to others too coz googling give me lots of unsolved AD's php password update discussion. Some give up and use perl and other languages.

see ya dude. have a nice day.

Reply With Quote
  #165  
Old October 26th, 2011, 03:18 PM
ArtMent ArtMent is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Oct 2011
Posts: 1 ArtMent User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 14 m 28 sec
Reputation Power: 0
Hi,

Firstly, excuse my poor english...

I have the same problem that the firt post of this thread, I explain :

I try to manage my Windows 2003 Active directory server with php installed on IIS, and modify user's password.

I have read the thread with a lot of interest. And I've tryed to enable SSL connections to my Active Directory, and install certification. all looks like OK, when I run ldp.exe and try to connect it's ok. In my php, I can connect to ldap://mydomain, but I can't connect to ldaps://mydomain or ldap://mydomain,636.

I really don't understand why, I've tested all kind of things.

Should I have to import certificate in my IIS ? I have try that but when I configure my iis website for enable ssl on port 636, it give me an error because the port is already used...

I hope someone read me and can help me.

Thanx for your help.

Reply With Quote
Reply

Viewing: Dev Shed ForumsDatabasesLDAP Programming > Modifying Active Directory passwords through PHP and IIS

Developer Shed Advertisers and Affiliates



Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap