The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Databases
> LDAP Programming
|
 Page 2 -
Modifying Active Directory passwords through PHP and IIS
Page 2 - Discuss Modifying Active Directory passwords through PHP and IIS in the LDAP Programming forum on Dev Shed.
Modifying Active Directory passwords through PHP and IIS LDAP Programming forum discussing Lightweight Directory Access Protocol information and techniques. LDAP is used to allow applications to access directory information from a server.
|
|
 |
|
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
June 4th, 2004, 11:27 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 1
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
No SSL
Quote: | Originally Posted by MatthewClark I can verify that I have a secure connection to LDAP and everything. |
Matt,
Did you need to do anything special to set up the SSL connection? I can't bind over SSL. I have verified that my DLLs are in the right place.
PHP 4.3.6
Apache/2.0.49
Windows 2000
OpenSSL 0.9.7c 30 Sep 2003
Geoff
|
June 4th, 2004, 12:40 PM
|
 |
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
what errors do you get?
|
June 7th, 2004, 08:59 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Location: Poland
Posts: 6
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
Still not working for me.
Has anyone got it to work properly ?
I'm also working on user administration panel in PHP, when users are stored on an AD server.
Everything works fine except setting and changing the unicodePwd field.
I've lost several days to find out how to made it to work and still nothing. I'm really angry about that.
|
June 7th, 2004, 09:32 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 9
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Did you see my recent post?
Quote: | Originally Posted by KuRcZaK
Everything works fine except setting and changing the unicodePwd field.
|
Did you see the recent posts using the perl script and/or the php converted perl script? That has worked for me, I'd be interested to know if others are having luck with it.
- Ben
|
June 7th, 2004, 10:26 AM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
Quote: | Originally Posted by bwhaley Did you see the recent posts using the perl script and/or the php converted perl script? That has worked for me, I'd be interested to know if others are having luck with it.
- Ben |
Any chance you can test the PHP script? I don't have AD so can't test it here.
|
June 7th, 2004, 12:24 PM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 9
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
No luck...
Quote: | Originally Posted by Viper_SB Any chance you can test the PHP script? I don't have AD so can't test it here. |
I first made the following minor modification (possibly specific for my environment; I'm no PHP/Active Directory expert). The last line is the change:
PHP Code:
if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $protocolVersion))
{
exit('Failed to set protocol version to '.$protocolVersion);
}
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
Alas, no luck. I still received the "Server unwilling to perform" error that I was getting before. Son of a....
- Ben
|
June 8th, 2004, 02:58 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Location: Poland
Posts: 6
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
I'm still having problem to connect via SSL
I've read that if I want to change password via LDAP I have to connect via SSL to LDAP server.
And that's my problem right now.
$ldap=ldap_connect("myserver",636);
returns Success
and $ldap gets "Resource #1", so I suppose, that the connection is made, but when I try to bind using this connection I receive an error:
"Could not connect to LDAP server"
I tried also to bind annonymously mysql_bind($ldap), but it also reutrns the same error.
I've checked my php configuration and OpenSSL is configured. Our networ administrator says, that also AD server is configured to use SSL.
I have no idea where the problem could be right now.
The connection without SSL is possible and works fine.
|
June 8th, 2004, 06:42 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Location: Poland
Posts: 6
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
How to check the connection type ?
OK - I think I'm one next step to the solution.
Surprisingly what helped to make a SSL connection with LDAP server was creating C:\OpenLDAP\sysconf\ (as described in one of the threads on the net) and putting there ldap.conf file which contains in its first line:
TLS_REQCERT never
Why on C drive and in this concrete directory - people says that its coded deep in the php_ldap.dll.
So now my script seems to be runnig fine:
PHP Code:
$ldap_server = "ldaps://mscrmsvr/";
$auth_user = "Admin";
$auth_pass = "P@ssw0rd77";
// connect to server
if (!($connect=@ldap_connect($ldap_server,636))) {
die("Could not connect to ldap server");
}
echo "connect result is: ".$connect."<BR>";
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind to server
if (!($bind=ldap_bind($connect, $auth_user, $auth_pass))) {
die("Unable to bind to server");
}
echo "bind result is: ".$bind."<BR>";
if (!($search=@ldap_search($connect, $base_dn, $filter))) {
die("Unable to search ldap server");
,but when I try to change unicodePwd field I get the same message as in non SSL connection "Warning: ldap_modify(): Modify: Server is unwilling to perform".
Do you know if and how can I check if my connection to the LDAP server is encoded with SSL ?
|
June 8th, 2004, 08:55 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 9
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by KuRcZaK Do you know if and how can I check if my connection to the LDAP server is encoded with SSL ? |
I battled with the very same thing, as described earlier in this thread. I think we've determined that it is not an SSL problem. I am certain that I have a secure connection and I get the "Server unwilling to perform" error message as well. You can try the perl script shown earlier in the thread. That has worked for me. The direct translation to php, however, does NOT work. We aren't sure why that is...
|
June 8th, 2004, 10:44 AM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
Ya if the PHP script isn't working then it's something with PHP, if anyone has an active directory server I could test stuff on  I'd be willing to track down the problem and report it to PHP. All I'd need is a user account that could change my own password nothing else would be needed.
Also just so everyone is aware of this, ldap_connect() (in PHP) ALWAYS returns true. You can put in any IP or host and it'll be sucessfully, this IS a feature and is working correctly. ldap_bind() is what really connects so that is where you should check for connection. Here is how I do it.
PHP Code:
<?php
$link = ldap_connect($host);
if (!ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3))
{
exit('Failed to set protocol version to 3');
}
// just do an anoymous bind and this makes sure the ldap server exists
ldap_bind($link);
// 0 is successful thus it was able to connect
if (ldap_errno($link) !== 0)
{
exit('Could not connect to LDAP server');
}
// this is your real bind
ldap_bind($link, $user, $password);
?>
|
June 8th, 2004, 10:50 AM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
BTW what version of PHP are you trying this with?
|
June 8th, 2004, 02:24 PM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 9
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Version
Quote: | Originally Posted by Viper_SB BTW what version of PHP are you trying this with? |
I'm using PHP v 4.2.2.
Sorry, can't give you an account at my location...
|
June 8th, 2004, 05:04 PM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
any chance you can try with PHP 5 rc3? Because it could be a bug that was already fixed.
|
June 9th, 2004, 02:34 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Location: Poland
Posts: 6
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
...and what about user authentication
OK - I'll try version 5 RC 3 of PHP.
But I've one more question. Do you know if it's possible to verify user & password stored in AD. What I mean is that user while entering a site is asked to enter loginname and password.
Then I have to compare this with login & pwd stored in AD.
I suppose that the only way to verify this user is to search in AD for username and encoded password ? but is it possible ... just like below:
PHP Code:
//connect
//bind (as Domain Admin)
$user="kurczak";
$password = '{md5}'.base64_encode(pack('H*', md5('P@ssw0rd')));
$search=ldap_search($connect, "dc=mscrm, dc=local", "(&(samaccountname=".$user.")(unicodePwd=".$password."))");
It isn't working now - but maybe I'm completely wrong in the idea of how to do it, or maybe the password encoding isn't correct ?
....or maybe the best idea to verify if user exists is to bind as this user to AD, like this:
PHP Code:
$user="kurczak";
$password="P@ssw0rd";
$con=ldap_connect("server");
ldap_bind($con,$user,$password);
...and if bind succeedes we can be sure that user exists. ??
|
June 9th, 2004, 09:09 AM
|
|
Registered User
|
|
Join Date: Jun 2004
Posts: 9
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Password authentication
Quote: | Originally Posted by KuRcZaK ...and if bind succeedes we can be sure that user exists. ?? |
Yes, what you described is the standard way of authenticating a user in AD.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
