The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Databases
> LDAP Programming
|
 Page 9 -
Modifying Active Directory passwords through PHP and IIS
Page 9 - Discuss Modifying Active Directory passwords through PHP and IIS in the LDAP Programming forum on Dev Shed.
Modifying Active Directory passwords through PHP and IIS LDAP Programming forum discussing Lightweight Directory Access Protocol information and techniques. LDAP is used to allow applications to access directory information from a server.
|
|
 |
|
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
April 13th, 2006, 06:22 AM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
|
|
|
hi all;
this my first question, i come from china.
for the first time use php to link ad, i don't know how to
modify users' password even i had view the article .
who can give me some code
wo use php5, win 2003server .
when i try the code front.
|
April 13th, 2006, 06:29 AM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
|
|
this is my code
Code:
<?PHP
/*** Variable Settings ***/
$uid = 'uid';
$userbindDN = 'userbind';
//existing password
$userbindPass = 'password';
// new password
$passwd1 = 'changeme';
$passwd2 = 'changeme';
// administrative bind user
$authbindDN = 'authbind';
$authbindPass = 'authpass';
// ldap server info
$ldapserver = '123.123.123.123';
$baseDN = 'DC=me,DC=com';
/**************************/
/************* Main Script Code ***************/
/** Connect SSL to Ldap Server **/
echo "Connecting SSL to server<br>";
$ldap = ldap_connect($ldapserver);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
/** Test connection by using anonymous bind **/
echo "Testing anonymous bind to server<br>";
ldap_bind($ldap);
if (ldap_errno($ldap) !== 0)
{
exit('Could not connect to LDAP server - '.ldap_error($ldap));
}
/** Now try to bind with the username and password **/
echo "Now binding using user info<br>";
ldap_bind($ldap, $userbindDN, $userbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}
/** We got this far, let's bind with an admin user **/
echo "Now binding using admin info<br>";
ldap_bind($ldap, $authbindDN, $authbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: Unable to bind with admin user info - '.ldap_error($ldap));
}
$searchResults = ldap_search($ldap, $baseDN, 'CN='.$uid);
// no matching records
$info = ldap_get_entries($ldap, $searchResults);
if ($searchResults === false)
{
exit('User ($uid) not found in AD');
}
if (!is_resource($searchResults))
{
exit('Error in search results.');
}
$entry = ldap_first_entry($ldap, $searchResults);
if (!is_resource($entry))
{
exit('Couldn\'t get entry');
}
$userDn = ldap_get_dn($ldap, $entry);
// Check Pwds not really used in this script but...
if ($passwd1 == $passwd2){
// prepare data
$newPassword = $passwd1;
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for($i = 0; $i < $len; $i++)
{
$newPassw = "{$newPassword{$i}}\000";
}
$newPassword = $newPassw;
$userdata['unicodePwd'] = $newPassword;
echo "<------------ Changing Password --------------><br><br>";
echo "Username = ".$uid."<br>";
echo "User login ID = ".$userbindDN."<br>";
echo "User DN = $userDn<br>";
$result = ldap_mod_replace($ldap, $userDn , $userdata);
if($result)
{
echo "User modified!<br>" ;
}else{
echo "There was a problem!<br>";
echo ldap_error($ldap)."<br>";
}
/** Now try to bind with the username and new password to insure change**/
echo "Now testing new password to insure change<br>";
ldap_bind($ldap, $userbindDN, $passwd1);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}else{
echo "Password Verified OK. Password change complete<br>";
}
}
?>
Last edited by Viper_SB : April 13th, 2006 at 10:04 AM.
Reason: removed password and other sensitive info
|
April 13th, 2006, 06:30 AM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
|
|
|
and this is my error
Connecting SSL to server
Testing anonymous bind to server
Now binding using user info
Now binding using admin info
<------------ Changing Password -------------->
Username = ceshi
User login ID = uid
User DN = CN=me,CN=Users,DC=me,DC=com
Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in d:\usr\www\ceshi.php on line 79
There was a problem!
Server is unwilling to perform
Now testing new password to insure change
Warning: ldap_bind(): Unable to bind to server: Invalid credentials in d:\usr\www\ceshi.php on line 89
ERROR: User ID/Password Invalid - Invalid credentials
Last edited by Viper_SB : April 13th, 2006 at 10:05 AM.
Reason: removed sensitive info
|
April 13th, 2006, 10:06 AM
|
 |
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
cailang021 please remember not to use valid data in your posts.
Please read though this entire thread, it lists how to get it working, you are missing some important things.
|
April 13th, 2006, 07:50 PM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
|
|
|
thanks a lot for your help,
i will not do it like that again!
|
April 14th, 2006, 09:12 PM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
|
|
|
Wow, this is great information. Hats off to everyone for figuring this out.
I do have one question though, I have a server that doesn't have AD installed but I'd like to change the admin password via PHP and IIS. Is that possible? Thanks.
|
April 15th, 2006, 03:12 AM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
What password are you chaning if you don't have AD? Or are you trying to change an openldap password?
|
April 16th, 2006, 05:51 PM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
|
|
|
I wanted to change a local user's password within Windows (local users are defined in the computer management of Administrative tools). For instance, I have a user named msharris on a server and this server also has IIS and PHP installed; so how would I go about changing msharris' password?
|
April 16th, 2006, 08:31 PM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
it should be eariler in this thread, that's what it's all about
|
April 16th, 2006, 09:12 PM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
|
|
|
Maybe I missed it, but the codes and procedures I saw were using LDAP to connect to an AD domain. The server I'm working with is not part of an AD domain, hence LDAP queries aren't going to work quite right (right?).
Edit: I am trying to avoid using something like a net user call to cmd.exe to change things.
|
April 17th, 2006, 02:29 PM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
Oh a local user, I see, you'd have to look into the windows API IIRC, I'm not sure PHP can do it though. Maybe if you looked up how windows stores the user (file system I'd guess), then PHP could change it.
|
April 17th, 2006, 02:41 PM
|
|
Registered User
|
|
Join Date: Apr 2006
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
|
|
|
I was hoping to see some kind of PECL extension for Windows that would allow this to happen, but it doesn't appear to exist. Oh well, thanks for the info.
|
July 26th, 2006, 04:02 PM
|
|
|
First off, this is one long thread, but it has a lot of useful info. Thanks everyone.
I'm trying to change a user's password while binding to AD as them, instead of an admin account. As others have noted:
Quote: | There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it. |
I'm able to connect to AD 2003 using either SSL or TLS so that's not the problem. Also, authenticating is no problem. I'm using PHP 5.1.4-0.1 (debian package).
Using ldap_mod_replace gives an "Insufficient Permissions" error. It wants an admin account, which I'm trying to avoid.
Using ldap_mod_del then ldap_mod_add gives "No Such Attribute" and "Type Or Value Exists." This isn't surprising to me since unicodePwd needs to exist so del fails and it already exists so add fails (thank you, Captain Obvious). Also, they're not joined together as a single request so it doesn't quite match what MS says.
Has anyone had any luck with this? Thanks in advance.
(In case you are wondering why I don't want to use an admin account... I develop on the side. My main function is being a paranoid security analyst.  )
|
July 27th, 2006, 04:38 PM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
Quote: | Originally Posted by Relnor (In case you are wondering why I don't want to use an admin account... I develop on the side. My main function is being a paranoid security analyst. ) |
What about creating an admin account that can ONLY change user passwords (ONLY non admin ones)? It can't do anything else that way the security of it is low?
Other then that I don't know, I use AD but haven't had to get around to changing passwords
|
July 27th, 2006, 04:42 PM
|
|
|
Quote: | What about creating an admin account that can ONLY change user passwords (ONLY non admin ones)? |
That's what I'm doing now. I'd just like to see if it can be done the other way MS gives.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
