Page 11 - Modifying Active Directory passwords through PHP and IIS

Dev Shed Forums Sponsor:

#151

February 26th, 2008, 09:10 AM

Clockwatcher

Registered User

Join Date: Jan 2008

Posts: 2

Time spent in forums: 1 h 27 m 27 sec
Reputation Power: 0

I got it done finally, but it is not possible with PHP as far as I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

#152

October 30th, 2008, 04:16 AM

hd42

Registered User

Join Date: Oct 2008

Posts: 1

Time spent in forums: 11 m 10 sec
Reputation Power: 0

I finally got this to work with the help of this thread. Especially the tutorial on setting up ladp over ssl helped me a lot. The final hurdle for me was that the method to convert the password string used in most examples here didn't work for me. Using mb_convert_encoding did the trick. So here's my complete source code:

PHP Code:


		
			
 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

      $ldapconn = ldap_connect('ldaps://127.0.0.1', 636);

      ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

      ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); 

      $ldapuser="ldapuser";

      $ldappwd="*****";

      

      // search for user

      ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);

      

      $res_id = ldap_search( $ldapconn, "CN=Users,DC=my,DC=company,DC=example", "sAMAccountName=$username");

      if ($res_id) {

        $entry_id = ldap_first_entry($ldapconn, $res_id);

        if($entry_id){

          $user_dn = ldap_get_dn($ldapconn, $entry_id);

          if ($user_dn) {

            $ldapbind = ldap_bind($ldapconn, $user_dn, $oldpassword);

            // check if the old password allows a successfull login

            if($ldapbind) {

              if(strcmp($newpassword, $newpassword2)==0){ 

                

                // create the unicode password

                $newpassword = "\"" . $newpassword . "\"";

                $newPass = mb_convert_encoding($newpassword, "UTF-16LE");

                

                //rebind as admin to change the password

                ldap_bind($ldapconn, "CN=$ldapuser,CN=Users,DC=my,DC=company,DC=example", $ldappwd);

                

                $pwdarr = array('unicodePwd' => $newPass);

                if(ldap_mod_replace ($ldapconn, $user_dn, $pwdarr)) { 

                  print "<p class='success'>Change password succeded.</p>\n"; 

                } else { 

                  print "<p class='error'>Change password failed.</p>\n";

                }

              }else{

                print "<p class='error'>New password must be entered the same way twice.</p>\n";

              }

            }else{

              print "<p class='error'>Wrong user name or password.</p>\n";

            }

          } else {

              print "<p class='error'>Couldn't load user data.</p>\n";

          }

        } else {

            print "<p class='error'>Couldn't find user data.</p>\n";

        }

      } else {

          print "<p class='error'>Username was not found.</p>\n";

      }

      if(ldap_error($ldapconn)!="Success"){

        print "<p class='error'>LDAP Error:<br />\n";

        var_dump(ldap_error($ldapconn));

        print "</p>\n";

      }

      @ldap_close($ldapconn);

#153

July 9th, 2009, 02:00 PM

fleduc

Registered User

Join Date: Jul 2009

Posts: 1

Time spent in forums: 24 m 10 sec
Reputation Power: 0

Need an helpin' hand

Hi Guys,

here's my situation, i've finally got to work to modify a user password with AD administrator account thru ldaps, but as the password is available in clear text in my PHP code, i'd like to get a workaround. Then,

binding with the user password supplied works fine, but trying to modify/replace unicodePwd attribute just does not work and let me with this error message:

Code:

ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access

if you have any idea on how to figure out why, and how to succeed, here's my source code followed by my configuration:

PHP Code:


		
			
 $uid = $user->name;

$bindDn="CN=$user_cn,OU=People,DC=xxxxx,DC=xxxx";

$bindPassword = $gen_pwd;

$baseDn = 'ou=people,dc=xxxx,dc=xxxxx';

$protocolVersion = 3;



$ldap = ldap_connect('ldaps://ad.myserver.com');

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $protocolVersion))

{

    exit('Failed to set protocol version to '.$protocolVersion);

    }

    // bind anonymously so that we can verify if the server really is running

    ldap_bind($ldap);

    if (ldap_errno($ldap) !== 0)

    {

        exit('Could not connect to eSG LDAP server');

    }



// now bind with the correct username and password



ldap_bind($ldap, $bindDn, $bindPassword);

if (ldap_errno($ldap) !== 0)

{

    exit('ERROR: '.ldap_error($ldap));

    }



    $searchResults = ldap_search($ldap, $baseDn, 'uid='. $uid);

    // no matching records

    if ($searchResults === false)

    {

        exit('No user found ');

    }



    if (!is_resource($searchResults))

    {

        exit('Error in search results.');

        }



        /* create the unicode password

            $newpassword = $newPassword;    

        $newpassword = "\"" . $newpassword . "\"";

                $newPass = mb_convert_encoding($newpassword, "UTF-16LE");

            */



        // password creation 2nd technique

                           

               $newPassword = "\"" . $newPassword . "\""; 

               $len = strlen($newPassword); 

               for ($i = 0; $i < $len; $i++) 

               $newPassw .= "{$newPassword{$i}}\000"; 

               $newPassword = $newPassw; 

              $userdata["unicodePwd"] = $newPassword; 



    $entry = ldap_first_entry($ldap, $searchResults);

    if (!is_resource($entry))

    {

        exit('Couldn\'t get entry');

    }

    $userDn = ldap_get_dn($ldap, $entry);

        echo("<br>");

    

       //ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));  

       //ldap_mod_replace($ldap, $userDn , array('unicodePwd' => $newPass));  

       ldap_mod_replace($ldap, $userDn , $userdata);

Windows server 2003
Apache2/PHP 5.2
LDAPS is on

Thanks for you help.

Flo.

Quote:

Originally Posted by Clockwatcher

I got it done finally, but it is not possible with PHP as fars I can tell. The reason it is not possible is because in order for just a user (not an administrator) to modify their password, they must delete the old password and give the new password in a single step. This isn't possible with PHP, but I did it easily with perl.

Page 11 of 11

« First

Viewing: Dev Shed Forums > Databases > LDAP Programming > Modifying Active Directory passwords through PHP and IIS

« Previous Thread | Next Thread »

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox

Forum Jump

Free IT White Papers!

How to Present Effectively Online
This white paper offers practical and actionable advice on the key steps that any presenter should consider as they plan and execute a Webinar or online meeting.

Open Source Security Myths
Open Source Software (OSS) is computer software whose source code is available to the general public with relaxed or non-existent intellectual property restrictions (or arrangement such as the public domain), and is usually developed with the input of many contributors.

Power and Cooling Capacity Management for Data Centers
This paper describes the principles for achieving power and cooling capacity management.

Scalable, Fault-Tolerant NAS for Oracle - The Next Generation
For several years NAS has been evolving as a storage alternative for Oracle databases, and for good reason: NAS is quite often the simplest, most cost-effective storage approach for Oracle. Learn about the benefits that HP's approach to scalable NAS brings to Oracle environments in this comprehensive white paper.

Understanding Web Application Security Challenges
This white paper discusses many common threats and preventive measures for Web application security, and explains what you can do to help protect your organization.

More Free IT White Papers!