Page 9 -
Modifying Active Directory passwords through PHP and IIS
Page 9 - Discuss Modifying Active Directory passwords through PHP and IIS in the LDAP Programming forum on Dev Shed. Modifying Active Directory passwords through PHP and IIS LDAP Programming forum discussing Lightweight Directory Access Protocol information and techniques. LDAP is used to allow applications to access directory information from a server.
Receive the tools necessary to be the rock star of your field. Our 12-month program teaches you the evolving world of multi-channel marketing as well as the complex issues and opportunities found in the industry.
ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month! Download and Activate to enter!
Web development can be a daunting task, even for specialists. There is a lot of information to absorb and a lot of technologies to learn in order to manage a superior website. When trying to learn the ropes, developers need a reliable source to introduce new ideas that can be easily implemented. When working on large projects, even web veterans may run into a technology or an aspect of a technology that they are unfamiliar with.
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
hi all;
this my first question, i come from china.
for the first time use php to link ad, i don't know how to
modify users' password even i had view the article .
who can give me some code
wo use php5, win 2003server .
when i try the code front.
Posts: 4
Time spent in forums: 6 h 50 m 2 sec
Reputation Power: 0
and this is my error
Connecting SSL to server
Testing anonymous bind to server
Now binding using user info
Now binding using admin info
<------------ Changing Password -------------->
Username = ceshi
User login ID = uid
User DN = CN=me,CN=Users,DC=me,DC=com
Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in d:\usr\www\ceshi.php on line 79
There was a problem!
Server is unwilling to perform
Now testing new password to insure change
Warning: ldap_bind(): Unable to bind to server: Invalid credentials in d:\usr\www\ceshi.php on line 89
ERROR: User ID/Password Invalid - Invalid credentials
Last edited by Viper_SB : April 13th, 2006 at 10:05 AM.
Reason: removed sensitive info
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
Wow, this is great information. Hats off to everyone for figuring this out.
I do have one question though, I have a server that doesn't have AD installed but I'd like to change the admin password via PHP and IIS. Is that possible? Thanks.
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
I wanted to change a local user's password within Windows (local users are defined in the computer management of Administrative tools). For instance, I have a user named msharris on a server and this server also has IIS and PHP installed; so how would I go about changing msharris' password?
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
Maybe I missed it, but the codes and procedures I saw were using LDAP to connect to an AD domain. The server I'm working with is not part of an AD domain, hence LDAP queries aren't going to work quite right (right?).
Edit: I am trying to avoid using something like a net user call to cmd.exe to change things.
Posts: 4,836
Time spent in forums: 1 Month 1 Day 15 h 45 m 31 sec
Reputation Power: 633
Oh a local user, I see, you'd have to look into the windows API IIRC, I'm not sure PHP can do it though. Maybe if you looked up how windows stores the user (file system I'd guess), then PHP could change it.
Posts: 4
Time spent in forums: 26 m 34 sec
Reputation Power: 0
I was hoping to see some kind of PECL extension for Windows that would allow this to happen, but it doesn't appear to exist. Oh well, thanks for the info.
Posts: 26
Time spent in forums: 21 h 42 m 16 sec
Reputation Power: 0
First off, this is one long thread, but it has a lot of useful info. Thanks everyone.
I'm trying to change a user's password while binding to AD as them, instead of an admin account. As others have noted:
Quote:
There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.
I'm able to connect to AD 2003 using either SSL or TLS so that's not the problem. Also, authenticating is no problem. I'm using PHP 5.1.4-0.1 (debian package).
Using ldap_mod_replace gives an "Insufficient Permissions" error. It wants an admin account, which I'm trying to avoid.
Using ldap_mod_del then ldap_mod_add gives "No Such Attribute" and "Type Or Value Exists." This isn't surprising to me since unicodePwd needs to exist so del fails and it already exists so add fails (thank you, Captain Obvious). Also, they're not joined together as a single request so it doesn't quite match what MS says.
Has anyone had any luck with this? Thanks in advance.
(In case you are wondering why I don't want to use an admin account... I develop on the side. My main function is being a paranoid security analyst. )
Posts: 4,836
Time spent in forums: 1 Month 1 Day 15 h 45 m 31 sec
Reputation Power: 633
Quote:
Originally Posted by Relnor
(In case you are wondering why I don't want to use an admin account... I develop on the side. My main function is being a paranoid security analyst. )
What about creating an admin account that can ONLY change user passwords (ONLY non admin ones)? It can't do anything else that way the security of it is low?
Other then that I don't know, I use AD but haven't had to get around to changing passwords
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
)
Linear Mode
