|
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
![]() |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread |
Rating:
|
Display Modes |
|
|
|
Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper “Build Web 2.0 Applications Without Hand-Coding” Download now! |
|
#91
|
|||
|
|||
|
Quote:
You must give execute permissions to cmd.exe as well to get those functions to work. |
|
#92
|
|||
|
|||
|
After following this loooong thread and following all of the great advice I found here and at php.net, I was like many able to connect to our server with SSL and bind with a users id and password, but I kept recieving an insufficient access error when trying to modify the password. After reading the info from Microsoft at http://support.microsoft.com/?kbid=269190 that I found posted here it hit me.
From MS page: "There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it. The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was." I was trying to use the posted code to modify the users password while binding as that user. According to this, this can only be done if the command contains both a delete and an add command. Not knowing how to do that, I tried option 2. I used an administrator id and password to bind to AD and bingo. User password modified. Unless someone can tell me how to perform the delete/add command as MS states for option 1, it seems that I will have to use a method of first verifying that the user is valid by binding to AD, then if this is OK, bind with a user/password that has sufficient rights to reset passwords and modify using the code presented here. I usually store all system settings in my SQL database and I'm not sure I like having this user/password stored there, but it my be necessary to get this done. Here is my test script complete with lots of echo feedback. Using this I am able to change the users password and validate the change. If run a second time it will fail as the password has changed. Modify the password variables and it will run again. Notes: If you screw up your variables and pass a blank auth user even though the password is there, ldap_bind() will succeed but it is an anonymous bind. If you re-run this enough times with the wrong password, you will lock the account out if this is enabled in your domain. Script is running on a RHES3 box that has been converted to CENTOS. PHP 4.3.2 OpenSSL 0.9.7a openldap-2.0.27-17 Windows 2000 SBS Certificate services on a separate Win2000 server RootCA exported as 64bit key and imported into openssl certs on linux box as per notes at http://us3.php.net/manual/en/function.ldap-connect.php Hope this helps someone else :-) Phred PHP Code:
|
|
#93
|
|||
|
|||
|
The above script did not work for us initially. Then we realized that we were attempting to change the password on AD to a non-allowed syntax, which gave us a "Server unwilling to perform" error.
Once we modified the password to contain a capital letter and a number, everything worked as it should. I hope that this information helps someone else out there! ![]() |
|
#94
|
||||
|
||||
|
It's been a while since I have worked with PHP and Active Directory, and after bashing my head on this subject for a while, I haven't done much here either.
I think now I'll dust off my old PHP and AD scripts and see if I can make them work... |
|
#95
|
|||
|
|||
|
Quote:
Hi, maybe I am the only one, but I definitely not able to extract any certificate from AD and also the other thing I dont understand is why to use openldap while I've to connect as a client....Thanks for any help |
|
#96
|
||||
|
||||
|
Quote:
because AD exposes an LDAP interface, so a php client connects through it.
__________________
My blog about OpenSource Databases PDF tutorials about OSS databases, DBMonster ... Please contribute to Open Source Development, fill bug reports!!! Developer Shed eSupport Commented my.ini/my.cnf (PLEASE ADD YOUR OWN CONFIG TRICK) An introduction to database normalization Natural or Surrogate key Custom ordering for your results Correlated and uncorrelated subqueries Don't turn your outer joins into inner joins |
|
#97
|
|||
|
|||
|
Quote:
Exactly! A php client... and LDAP is a standard protocol... so why to use a server like OpenLDAP? Maybe my question is not clear... ![]() |
|
#98
|
||||
|
||||
|
Quote:
nope I don't understand it
__________________
Miscellaneous Software Viper_SB Developershed E-Support Anyone else play chess? Challenge me |
|
#99
|
|||
|
|||
|
Quote:
ok I'll try to explain it better: the AD is suppose to be the server in thhis case, right? Exposing ldaps is what is doing, right? A server which is giving a service... and when I connect to it I am a client ok? So, if (from my linux box) I want to connect to this server which is exposing ldaps, why should I configure another ldap server (OpenLDAP) on my box? Maybe this time I've been a little more clear... ![]() |
|
#100
|
||||
|
||||
|
If I understand you correctly, I don't think you need openldap running to access AD. Openldap is more for non windows systems, or those that perfer to use a free ldap server.
|
|
#101
|
||||
|
||||
|
Php uses the OpenLDAP CLIENT library to connect to the LDAP interface exposed by ActiveDirectory.
|