Page 7 - Modifying Active Directory passwords through PHP and IIS

Dev Shed Forums Sponsor:

Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper “Build Web 2.0 Applications Without Hand-Coding” Download now!

#91

December 8th, 2004, 07:15 AM

Zipi

Registered User

Join Date: Jul 2004

Location: Imatra, Finland

Posts: 7

Time spent in forums: < 1 sec
Reputation Power: 0

Quote:

Originally Posted by MatthewClark

I forgot - exec() and system() never work. They always belch out "Unable to fork" errors.

You must give execute permissions to cmd.exe as well to get those functions to work.

#92

February 16th, 2005, 12:53 PM

phredbroughton

Registered User

Join Date: Feb 2005

Location: Birmingham Alabama

Posts: 1

Time spent in forums: 38 m 3 sec
Reputation Power: 0

Success! (Sorta)

After following this loooong thread and following all of the great advice I found here and at php.net, I was like many able to connect to our server with SSL and bind with a users id and password, but I kept recieving an insufficient access error when trying to modify the password. After reading the info from Microsoft at http://support.microsoft.com/?kbid=269190 that I found posted here it hit me.
From MS page:
"There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was."

I was trying to use the posted code to modify the users password while binding as that user. According to this, this can only be done if the command contains both a delete and an add command. Not knowing how to do that, I tried option 2. I used an administrator id and password to bind to AD and bingo. User password modified.
Unless someone can tell me how to perform the delete/add command as MS states for option 1, it seems that I will have to use a method of first verifying that the user is valid by binding to AD, then if this is OK, bind with a user/password that has sufficient rights to reset passwords and modify using the code presented here. I usually store all system settings in my SQL database and I'm not sure I like having this user/password stored there, but it my be necessary to get this done.

Here is my test script complete with lots of echo feedback. Using this I am able to change the users password and validate the change. If run a second time it will fail as the password has changed. Modify the password variables and it will run again.
Notes:
If you screw up your variables and pass a blank auth user even though the password is there, ldap_bind() will succeed but it is an anonymous bind.

If you re-run this enough times with the wrong password, you will lock the account out if this is enabled in your domain.

Script is running on a RHES3 box that has been converted to CENTOS.
PHP 4.3.2
OpenSSL 0.9.7a
openldap-2.0.27-17
Windows 2000 SBS
Certificate services on a separate Win2000 server
RootCA exported as 64bit key and imported into openssl certs on linux box as per notes at http://us3.php.net/manual/en/function.ldap-connect.php

Hope this helps someone else :-)
Phred

PHP Code:


		
			
<?PHP

/*** Variable Settings ***/

$uid = 'Testing';

$userbindDN = 'testing@domain.com';

//existing password

$userbindPass = '1234567';

// new password

$passwd1 = 'changeme';

$passwd2 = 'changeme';

// administrative bind user

$authbindDN = 'someadminuser@domain.com';

$authbindPass = '1234567';

// ldap server info

$ldapserver = 'ldapserver.domain.com';

$baseDN = 'DC=domain,DC=com';

/**************************/



/************* Main Script Code ***************/

/**  Connect SSL to Ldap Server **/

echo "Connecting SSL to server<br>";

$ldap = ldap_connect('ldaps://'.$ldapserver,686);

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

/**  Test connection by using anonymous bind **/

echo "Testing anonymous bind to server<br>";

ldap_bind($ldap);

if (ldap_errno($ldap) !== 0)

{

    exit('Could not connect to LDAP server - '.ldap_error($ldap));

}

/**  Now try to bind with the username and password **/

echo "Now binding using user info<br>";

ldap_bind($ldap, $userbindDN, $userbindPass);

if (ldap_errno($ldap) !== 0)

{

    exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));

}

/**  We got this far, let's bind with an admin user **/

echo "Now binding using admin info<br>";

ldap_bind($ldap, $authbindDN, $authbindPass);

if (ldap_errno($ldap) !== 0)

{

     exit('ERROR: Unable to bind with admin user info - '.ldap_error($ldap));

}

$searchResults = ldap_search($ldap, $baseDN, 'CN='.$uid);

// no matching records

$info = ldap_get_entries($ldap, $searchResults);

if ($searchResults === false)

{

  exit('User ($uid) not found in AD');

}

if (!is_resource($searchResults))

{

  exit('Error in search results.');

}

$entry = ldap_first_entry($ldap, $searchResults);

if (!is_resource($entry))

{

    exit('Couldn\'t get entry');

}

$userDn = ldap_get_dn($ldap, $entry);

// Check Pwds not really used in this script but...

if ($passwd1 == $passwd2){

    // prepare data

    $newPassword = $passwd1;

    $newPassword = "\"" . $newPassword . "\"";

    $len = strlen($newPassword);

    for($i = 0; $i < $len; $i++)

  {

        $newPassw .= "{$newPassword{$i}}\000";

  }

    $newPassword = $newPassw;

    $userdata['unicodePwd'] = $newPassword;



  echo "<------------ Changing Password --------------><br><br>";

  echo "Username = ".$uid."<br>";

  echo "User login ID = ".$userbindDN."<br>";

  echo "User DN = $userDn<br>";

  $result = ldap_mod_replace($ldap, $userDn , $userdata);

    if($result)

  {

       echo "User modified!<br>" ;

    }else{

       echo "There was a problem!<br>";

       echo ldap_error($ldap)."<br>";

  }

    /**  Now try to bind with the username and new password to insure change**/

    echo "Now testing new password to insure change<br>";

    ldap_bind($ldap, $userbindDN, $passwd1);

    if (ldap_errno($ldap) !== 0)

    {

        exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));

    }else{

        echo "Password Verified OK. Password change complete<br>";

    }

}

?>

Comments on this post

Viper_SB agrees!

#93

May 26th, 2005, 04:07 PM

ebeyrent

Registered User

Join Date: Aug 2003

Location: New Hampshire

Posts: 9

Time spent in forums: 7 m 7 sec
Reputation Power: 0

The above script did not work for us initially. Then we realized that we were attempting to change the password on AD to a non-allowed syntax, which gave us a "Server unwilling to perform" error.

Once we modified the password to contain a capital letter and a number, everything worked as it should.

I hope that this information helps someone else out there!

Comments on this post

Viper_SB agrees: intresting thanks for the tip

#94

May 26th, 2005, 05:19 PM

MatthewClark

Contributing User

Join Date: Aug 2003

Location: San Angelo, Texas (USA)

Posts: 286

Time spent in forums: 13 h 48 m 16 sec
Reputation Power: 7

It's been a while since I have worked with PHP and Active Directory, and after bashing my head on this subject for a while, I haven't done much here either.

I think now I'll dust off my old PHP and AD scripts and see if I can make them work...

__________________
InLesserTerms.net
Sometimes it takes a little cussin' to get things done right.

#95

June 7th, 2005, 05:24 AM

giorg

Registered User

Join Date: Jun 2005

Posts: 7

Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0

Quote:

Originally Posted by phredbroughton

Certificate services on a separate Win2000 server
RootCA exported as 64bit key and imported into openssl certs on linux box as per notes at http://us3.php.net/manual/en/function.ldap-connect.php

Hope this helps someone else :-)
Phred

[/PHP]

Hi,
maybe I am the only one, but I definitely not able to extract any certificate from AD

and also the other thing I dont understand is why to use openldap while I've to connect as a client....
Thanks for any help

#96

June 7th, 2005, 05:52 AM

pabloj

Modding: Oracle MsSQL Firebird

Dev Shed God 6th Plane (7500 - 7999 posts)

Join Date: Jun 2001

Location: Outside US

Posts: 7,711

Time spent in forums: 2 Months 2 Weeks 6 Days 4 h 53 m 59 sec
Reputation Power: 259

Quote:

Originally Posted by giorg

why to use openldap while I've to connect as a client....

because AD exposes an LDAP interface, so a php client connects through it.

__________________
My blog about OpenSource Databases
PDF tutorials about OSS databases, DBMonster ...
Please contribute to Open Source Development, fill bug reports!!!
Developer Shed eSupport
Commented my.ini/my.cnf (PLEASE ADD YOUR OWN CONFIG TRICK)
An introduction to database normalization
Natural or Surrogate key
Custom ordering for your results
Correlated and uncorrelated subqueries
Don't turn your outer joins into inner joins

#97

June 7th, 2005, 10:58 AM

giorg

Registered User

Join Date: Jun 2005

Posts: 7

Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0

Quote:

Originally Posted by pabloj

because AD exposes an LDAP interface, so a php client connects through it.

Exactly! A php client... and LDAP is a standard protocol... so why to use a server like OpenLDAP? Maybe my question is not clear...

#98

June 7th, 2005, 11:07 AM

Viper_SB

Psycho Canadian

Join Date: Jan 2001

Location: Canada

Posts: 4,784

Time spent in forums: 4 Weeks 18 h 11 m 57 sec
Reputation Power: 437

Quote:

Originally Posted by giorg

Exactly! A php client... and LDAP is a standard protocol... so why to use a server like OpenLDAP? Maybe my question is not clear...

nope I don't understand it

__________________
Miscellaneous Software
Viper_SB
Developershed E-Support

Anyone else play chess?
Challenge me

#99

June 7th, 2005, 12:08 PM

giorg

Registered User

Join Date: Jun 2005

Posts: 7

Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0

Quote:

Originally Posted by Viper_SB

nope I don't understand it

ok I'll try to explain it better: the AD is suppose to be the server in thhis case, right? Exposing ldaps is what is doing, right? A server which is giving a service... and when I connect to it I am a client ok? So, if (from my linux box) I want to connect to this server which is exposing ldaps, why should I configure another ldap server (OpenLDAP) on my box? Maybe this time I've been a little more clear...

#100

June 7th, 2005, 02:17 PM

Viper_SB

Psycho Canadian

Join Date: Jan 2001

Location: Canada

Posts: 4,784

Time spent in forums: 4 Weeks 18 h 11 m 57 sec
Reputation Power: 437

If I understand you correctly, I don't think you need openldap running to access AD. Openldap is more for non windows systems, or those that perfer to use a free ldap server.

#101

June 7th, 2005, 03:40 PM

pabloj

Modding: Oracle MsSQL Firebird

Join Date: Jun 2001

Location: Outside US

Posts: 7,711

Time spent in forums: 2 Months 2 Weeks 6 Days 4 h 53 m 59 sec
Reputation Power: 259

Php uses the OpenLDAP CLIENT library to connect to the LDAP interface exposed by ActiveDirectory.