Page 7 -
Modifying Active Directory passwords through PHP and IIS
Page 7 - Discuss Modifying Active Directory passwords through PHP and IIS in the LDAP Programming forum on Dev Shed. Modifying Active Directory passwords through PHP and IIS LDAP Programming forum discussing Lightweight Directory Access Protocol information and techniques. LDAP is used to allow applications to access directory information from a server.
The ASP Free website provides in-depth information on the latest developer tools available from Microsoft. Our cadre of writers, highly experienced industry experts, reveals the best ways to use established technologies as well as new and emerging technologies. Our coverage of Microsoft's development and administration technologies is among the most respected in the IT industry today.
ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month! Download and Activate to enter!
Intel® Graphics Performance Analyzers is a powerful tool suite for analyzing and optimizing your games, media, and graphics-intensive applications. Used by some of the best developers on the planet, Intel GPA lets you maximize your app’s performance.
Posts: 1
Time spent in forums: 38 m 3 sec
Reputation Power: 0
Success! (Sorta)
After following this loooong thread and following all of the great advice I found here and at php.net, I was like many able to connect to our server with SSL and bind with a users id and password, but I kept recieving an insufficient access error when trying to modify the password. After reading the info from Microsoft at http://support.microsoft.com/?kbid=269190 that I found posted here it hit me.
From MS page:
"There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.
The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was."
I was trying to use the posted code to modify the users password while binding as that user. According to this, this can only be done if the command contains both a delete and an add command. Not knowing how to do that, I tried option 2. I used an administrator id and password to bind to AD and bingo. User password modified.
Unless someone can tell me how to perform the delete/add command as MS states for option 1, it seems that I will have to use a method of first verifying that the user is valid by binding to AD, then if this is OK, bind with a user/password that has sufficient rights to reset passwords and modify using the code presented here. I usually store all system settings in my SQL database and I'm not sure I like having this user/password stored there, but it my be necessary to get this done.
Here is my test script complete with lots of echo feedback. Using this I am able to change the users password and validate the change. If run a second time it will fail as the password has changed. Modify the password variables and it will run again.
Notes:
If you screw up your variables and pass a blank auth user even though the password is there, ldap_bind() will succeed but it is an anonymous bind.
If you re-run this enough times with the wrong password, you will lock the account out if this is enabled in your domain.
Script is running on a RHES3 box that has been converted to CENTOS.
PHP 4.3.2
OpenSSL 0.9.7a
openldap-2.0.27-17
Windows 2000 SBS
Certificate services on a separate Win2000 server
RootCA exported as 64bit key and imported into openssl certs on linux box as per notes at http://us3.php.net/manual/en/function.ldap-connect.php
/************* Main Script Code ***************/
/** Connect SSL to Ldap Server **/
echo "Connecting SSL to server<br>";
$ldap = ldap_connect('ldaps://'.$ldapserver,686);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
/** Test connection by using anonymous bind **/
echo "Testing anonymous bind to server<br>";
ldap_bind($ldap);
if (ldap_errno($ldap) !== 0)
{
exit('Could not connect to LDAP server - '.ldap_error($ldap));
}
/** Now try to bind with the username and password **/
echo "Now binding using user info<br>";
ldap_bind($ldap, $userbindDN, $userbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}
/** We got this far, let's bind with an admin user **/
echo "Now binding using admin info<br>";
ldap_bind($ldap, $authbindDN, $authbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: Unable to bind with admin user info - '.ldap_error($ldap));
}
$searchResults = ldap_search($ldap, $baseDN, 'CN='.$uid);
// no matching records
$info = ldap_get_entries($ldap, $searchResults);
if ($searchResults === false)
{
exit('User ($uid) not found in AD');
}
if (!is_resource($searchResults))
{
exit('Error in search results.');
}
$entry = ldap_first_entry($ldap, $searchResults);
if (!is_resource($entry))
{
exit('Couldn\'t get entry');
}
$userDn = ldap_get_dn($ldap, $entry);
// Check Pwds not really used in this script but...
if ($passwd1 == $passwd2){
// prepare data
$newPassword = $passwd1;
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for($i = 0; $i < $len; $i++)
{
$newPassw .= "{$newPassword{$i}}\000";
}
$newPassword = $newPassw;
$userdata['unicodePwd'] = $newPassword;
echo "<------------ Changing Password --------------><br><br>";
echo "Username = ".$uid."<br>";
echo "User login ID = ".$userbindDN."<br>";
echo "User DN = $userDn<br>";
$result = ldap_mod_replace($ldap, $userDn , $userdata);
if($result)
{
echo "User modified!<br>" ;
}else{
echo "There was a problem!<br>";
echo ldap_error($ldap)."<br>";
}
/** Now try to bind with the username and new password to insure change**/
echo "Now testing new password to insure change<br>";
ldap_bind($ldap, $userbindDN, $passwd1);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}else{
echo "Password Verified OK. Password change complete<br>";
}
}
?>
Posts: 9
Time spent in forums: 7 m 7 sec
Reputation Power: 0
The above script did not work for us initially. Then we realized that we were attempting to change the password on AD to a non-allowed syntax, which gave us a "Server unwilling to perform" error.
Once we modified the password to contain a capital letter and a number, everything worked as it should.
I hope that this information helps someone else out there!
Posts: 286
Time spent in forums: 14 h 2 m 39 sec
Reputation Power: 11
It's been a while since I have worked with PHP and Active Directory, and after bashing my head on this subject for a while, I haven't done much here either.
I think now I'll dust off my old PHP and AD scripts and see if I can make them work...
Posts: 7
Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0
Quote:
Originally Posted by phredbroughton
Certificate services on a separate Win2000 server
RootCA exported as 64bit key and imported into openssl certs on linux box as per notes at http://us3.php.net/manual/en/function.ldap-connect.php
Hope this helps someone else :-)
Phred
[/PHP]
Hi,
maybe I am the only one, but I definitely not able to extract any certificate from AD and also the other thing I dont understand is why to use openldap while I've to connect as a client....
Thanks for any help
Posts: 7
Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0
Quote:
Originally Posted by Viper_SB
nope I don't understand it
ok I'll try to explain it better: the AD is suppose to be the server in thhis case, right? Exposing ldaps is what is doing, right? A server which is giving a service... and when I connect to it I am a client ok? So, if (from my linux box) I want to connect to this server which is exposing ldaps, why should I configure another ldap server (OpenLDAP) on my box? Maybe this time I've been a little more clear...
Posts: 4,836
Time spent in forums: 1 Month 1 Day 15 h 32 m 54 sec
Reputation Power: 633
If I understand you correctly, I don't think you need openldap running to access AD. Openldap is more for non windows systems, or those that perfer to use a free ldap server.
Posts: 2
Time spent in forums: 45 m 29 sec
Reputation Power: 0
It's impressed php code, but I don't think that's good solution. As the result of Microsoft not willing to open source code to public, your code works today not means work tomorrow. My suggestion is that install a php on windows platform. Call DOS command "net user" to make it done. very easy! just use
system("net user $username $newpassword /domain");
You see!
Sometime, we just need our work done, not use certain technology. Is that true?
Posts: 7
Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0
Quote:
Originally Posted by RobinHoo
Sometime, we just need our work done, not use certain technology. Is that true?
This is absolutely true, the problem is I am developing a centralized system on a linux server, and now is too late to move under windows. But I still don't get why I have to configure a new openldap server while I'm a client for AD. Isn't enough just to use the php ldap library? At the end, is there anyone who can gimme any reference/how to on the CA side? Generating certificate, exporting, and so on?
Thank you
Posts: 8,526
Time spent in forums: 3 Months 1 Week 1 Day 3 h 1 m 2 sec
Reputation Power: 534
The php ldap library needs Openldap client library to compile and run, it might be simpler to install the whole openldap server but I doubt you'll need to confugure and run it.
Posts: 7
Time spent in forums: 1 h 40 m 45 sec
Reputation Power: 0
Quote:
Originally Posted by pabloj
The php ldap library needs Openldap client library to compile and run, it might be simpler to install the whole openldap server but I doubt you'll need to confugure and run it.
Now I got it, thank you pabloj. Following the "tutorial" on http://us2.php.net/manual/en/function.ldap-connect.php, my situation now is that when I try to verify the exported certificate I get:
error 20 at 0 depth lookup:unable to get local issuer certificate
This is of course 'cause openldap cannot recognize my AD server as a trusted root enterprise CA, but I don't how to say "trust it"!