Page 8 - Modifying Active Directory passwords through PHP and IIS

Not really shure but I think this can help

On the site you mentioned I found another line (beside the OpenSSL configuration), which reads:
Note that ldap.conf is a config file used also by LDAP CLIENT, this is important, slapd.conf is used by LDAP SERVER.
Probably ease of creating and finding all those files is why you are advised to install the whole openldap server.

Yes I've read this and of course I did modify the configuration; the error I mentioned before came after I modified and restarted the daemon.

Ok, googleing around I got into openssl verify ....

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete

You might need to add the issuer certificate.
Hope this helps

Yes I've also googlied around and found that, and my point at this time is exactly that I don't know how to do it...
thx a lot for your help

I've tried all of the very helpful suggestions and code in this thread, but cannot modify a password. I still get the "Unwilling to perform..." error message. Has anyone been able to modify AD passwords, running PHP5 on Windows and IIS? Also, when I run ldp.exe I can see that there is a LDAPS connection to AD by checking netstat, but when I run my PHP script I never see a LDAPS connection. I only ever get a LDAP connection. I'm thinking that PHP is not establishing a secure connection to AD. Is there any way to verify that PHP is establishing a secure LDAPS connection other than checking netstat? Thanks!

Well, without looking very far into this, the problem you describe is very similar, if not identical, to the problems mentioned in this thread that pertained to PHP4.

I know it's a long thread, but there are some posts that may solve this problem (something to do with SSL and certificates and DC registry hacks).

I am testing this solution and I use vmware to do it. Costs a little cash but owns for testing out anything.

I have done a bit of work on this:

have a look at http://apple-scripts.com/forums/

i have just written a PDF guide to get the openSSL working..

it is geared for OSX and unix but you should be able to fit it to IIS etc.

Great thread, helped me a lot with getting the TLS/SSL sorted then ran into the same problem as a lot of others, formatting the PW.

It seems that Server 2003 requires a UTF-16 string with no byte order marks and revesed byte order as the password. As my php was not complied with mb_string I had no unicode support. As my passwords were all straight ASCII strings I wrote this cheap dirty code to get it working. This code also produces base 64 encoded strings that match the output from stringconverter.exe but only if the supplied string is pure ASCII

Hope it helps


For those interested I was connecting from a FreeBSD 5.4 box to a AD on a Server 2003 using a certificate from the 2003 box imported into the default openssl/openldap install on the FreeBSD box. I can connect from the ldap command line tools and have successfully modified the unicodepwd field on the Active Directory.

Cheers,
Brett

I can confirm I can modify the 'unicodePwd' attribute from php5. I think a lot of people are not getting a secure ldap connection to the server even though they think they are.

The ldapconnect() take either a URL or a hostname and port number so connecting via ldapconnect("ldap://yourdoain.com", 636) does not work, this connects unsecured to port 389 and ignores the specified port and you wont be able to update the 'unicodePwd' attribute.

To get a TLS/SSL ldap conection you need to connect via either:

ldapconnect("yourdomain.com","636") or
ldapconnect("ldaps://yourdomain.com)

if these conect methods return the error cannot connect to ldap server your SLL/TLS is not setup correctly. You simply cannot get a SSL/TLS connection if you specify ladp:// in the connect field instead of ldaps://

I can connect from a machine that is not part of the domain via php, openssl and openldap. The key is all in getting the certificate from the AD and importing into openssl, then configuring openldap to use the certificate and finally and just as important making sure the webserver/php module is set to use the cert. I can give specific instructions on how to do this for apache/openssl/openldap on linux or BSD but not for IIS/php setups but the principal is the same.

Hope this helps.

Brett

Amazing that this thread has continued for so long. It seems to be the most informative place for info about PHP driven password changes for AD users.

I'm super close, thanks to everyone who has contributed to this thread. A few points of clarification.

1. Most recently, brett.howard says he can do the password replacement with PHP*5*. Is php5 a must? Can php4 be used - say 4.3.10?

2. brett's post also mentions a distinction about encoding the password for Win2003 server. Does UTF-16 need to be used? If php has mbstring configured - any syntax hints on using it instead of the 'dirty' method with base64 encoding he suggested?

3. from the start, matthew clark suggested that using port 636 or 3269 without indicating LDAPS was the preferred method of connecting over SSL. do brett's recent comments contradict this? I cannot connect if I use a hostname of ldaps://<hostname>/ and a port of 636 or 3269. It has to do with configuring openssl and the cert on the webserver side I suspect. Hopfully dominic32's documentation will help...I'm running my php on a Mac with Apache.

Your follow up would be appreciated.
Is anyone actively monitoring this thread anymore?

With Dominic from apple-scripts assistance, I finally got my PHP form working.

Some of the highlights I found interesting and challenging.

1. PHP, utilizing the openldap libraries, needs to bind to AD over port 636 or via LDAPS. To accomplish this an x509 certificate issued by a CA either on the AD server or from the same domain (correct me if I'm wrong) needs to be installed and configured for use on the Apache/PHP server.

2. When binding to AD to perform the ldap_mod_replace on the user entry of interest, the bind DN must be a domain administrator and can actually use the form of <samaccountname>@DOMAIN.

3. Finally, I did not find it necessary to base64 encode the converted password string. The code I used to properly format the string is as follows:

### assume $new_passwd is passed in via $POST['passwd var']

$new_passwd = "\"".$new_passwd."\"";
for ($i = 0; $i < (strlen($new_passwd)); $i++) {
$uni_passwd .= "{$new_passwd{$i}}\000";
};
$userdata["unicodePwd"] = $uni_passwd;

hello..

Im trying to figure out and helping a fren on this thing..
I am able to connect to the AD server do comparison and all.. but when im try to change the password on AD, my interface shows an error msg " constraint violation". any ideas? help?

Hey just thought I would throw this out to everyone.

It is two articles that I wrote using PHP and AD together. It includes all source, screenshots, articles (PDF). Check it out.
Get the zipped file here

Good luck everyone,
Chad