|
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
![]() |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread |
Rating:
|
Display Modes |
|
#121
|
|||
|
|||
|
hi all;
this my first question, i come from china. for the first time use php to link ad, i don't know how to modify users' password even i had view the article . who can give me some code wo use php5, win 2003server . when i try the code front. |
|
#122
|
|||
|
|||
|
this is my code
Code:
<?PHP
/*** Variable Settings ***/
$uid = 'uid';
$userbindDN = 'userbind';
//existing password
$userbindPass = 'password';
// new password
$passwd1 = 'changeme';
$passwd2 = 'changeme';
// administrative bind user
$authbindDN = 'authbind';
$authbindPass = 'authpass';
// ldap server info
$ldapserver = '123.123.123.123';
$baseDN = 'DC=me,DC=com';
/**************************/
/************* Main Script Code ***************/
/** Connect SSL to Ldap Server **/
echo "Connecting SSL to server<br>";
$ldap = ldap_connect($ldapserver);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
/** Test connection by using anonymous bind **/
echo "Testing anonymous bind to server<br>";
ldap_bind($ldap);
if (ldap_errno($ldap) !== 0)
{
exit('Could not connect to LDAP server - '.ldap_error($ldap));
}
/** Now try to bind with the username and password **/
echo "Now binding using user info<br>";
ldap_bind($ldap, $userbindDN, $userbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}
/** We got this far, let's bind with an admin user **/
echo "Now binding using admin info<br>";
ldap_bind($ldap, $authbindDN, $authbindPass);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: Unable to bind with admin user info - '.ldap_error($ldap));
}
$searchResults = ldap_search($ldap, $baseDN, 'CN='.$uid);
// no matching records
$info = ldap_get_entries($ldap, $searchResults);
if ($searchResults === false)
{
exit('User ($uid) not found in AD');
}
if (!is_resource($searchResults))
{
exit('Error in search results.');
}
$entry = ldap_first_entry($ldap, $searchResults);
if (!is_resource($entry))
{
exit('Couldn\'t get entry');
}
$userDn = ldap_get_dn($ldap, $entry);
// Check Pwds not really used in this script but...
if ($passwd1 == $passwd2){
// prepare data
$newPassword = $passwd1;
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for($i = 0; $i < $len; $i++)
{
$newPassw = "{$newPassword{$i}}\000";
}
$newPassword = $newPassw;
$userdata['unicodePwd'] = $newPassword;
echo "<------------ Changing Password --------------><br><br>";
echo "Username = ".$uid."<br>";
echo "User login ID = ".$userbindDN."<br>";
echo "User DN = $userDn<br>";
$result = ldap_mod_replace($ldap, $userDn , $userdata);
if($result)
{
echo "User modified!<br>" ;
}else{
echo "There was a problem!<br>";
echo ldap_error($ldap)."<br>";
}
/** Now try to bind with the username and new password to insure change**/
echo "Now testing new password to insure change<br>";
ldap_bind($ldap, $userbindDN, $passwd1);
if (ldap_errno($ldap) !== 0)
{
exit('ERROR: User ID/Password Invalid - '.ldap_error($ldap));
}else{
echo "Password Verified OK. Password change complete<br>";
}
}
?>
Last edited by Viper_SB : April 13th, 2006 at 10:04 AM. Reason: removed password and other sensitive info |
|
#123
|
|||
|
|||
|
and this is my error
Connecting SSL to server Testing anonymous bind to server Now binding using user info Now binding using admin info <------------ Changing Password --------------> Username = ceshi User login ID = uid User DN = CN=me,CN=Users,DC=me,DC=com Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in d:\usr\www\ceshi.php on line 79 There was a problem! Server is unwilling to perform Now testing new password to insure change Warning: ldap_bind(): Unable to bind to server: Invalid credentials in d:\usr\www\ceshi.php on line 89 ERROR: User ID/Password Invalid - Invalid credentials Last edited by Viper_SB : April 13th, 2006 at 10:05 AM. Reason: removed sensitive info |
|
#124
|
||||
|
||||
|
cailang021 please remember not to use valid data in your posts.
Please read though this entire thread, it lists how to get it working, you are missing some important things.
__________________
Miscellaneous Software Viper_SB Developershed E-Support Anyone else play chess? Challenge me |
|
#125
|
|||
|
|||
|
thanks a lot for your help,
i will not do it like that again! |
|
#126
|
|||
|
|||
|
Wow, this is great information. Hats off to everyone for figuring this out.
I do have one question though, I have a server that doesn't have AD installed but I'd like to change the admin password via PHP and IIS. Is that possible? Thanks. |
|
#127
|
||||
|
||||
|
What password are you chaning if you don't have AD? Or are you trying to change an openldap password?
|
|
#128
|
|||
|
|||
|
I wanted to change a local user's password within Windows (local users are defined in the computer management of Administrative tools). For instance, I have a user named msharris on a server and this server also has IIS and PHP installed; so how would I go about changing msharris' password?
|
|
#129
|
||||
|
||||
|
it should be eariler in this thread, that's what it's all about
|
|
#130
|
|||
|
|||
|
Maybe I missed it, but the codes and procedures I saw were using LDAP to connect to an AD domain. The server I'm working with is not part of an AD domain, hence LDAP queries aren't going to work quite right (right?).
Edit: I am trying to avoid using something like a net user call to cmd.exe to change things. |
|
#131
|
||||
|
||||
|
Oh a local user, I see, you'd have to look into the windows API IIRC, I'm not sure PHP can do it though. Maybe if you looked up how windows stores the user (file system I'd guess), then PHP could change it.
|
|
#132
|
|||
|
|||
|
I was hoping to see some kind of PECL extension for Windows that would allow this to happen, but it doesn't appear to exist. Oh well, thanks for the info.
|
|
#133
|
|||
|
|||
|
First off, this is one long thread, but it has a lot of useful info. Thanks everyone.
I'm trying to change a user's password while binding to AD as them, instead of an admin account. As others have noted: Quote:
I'm able to connect to AD 2003 using either SSL or TLS so that's not the problem. Also, authenticating is no problem. I'm using PHP 5.1.4-0.1 (debian package). Using ldap_mod_replace gives an "Insufficient Permissions" error. It wants an admin account, which I'm trying to avoid. Using ldap_mod_del then ldap_mod_add gives "No Such Attribute" and "Type Or Value Exists." This isn't surprising to me since unicodePwd needs to exist so del fails and it already exists so add fails (thank you, Captain Obvious). Also, they're not joined together as a single request so it doesn't quite match what MS says. Has anyone had any luck with this? Thanks in advance. (In case you are wondering why I don't want to use an admin account... I develop on the side. My main function is being a paranoid security analyst. ) |
|
#134
|
||||
|
||||
|
Quote:
What about creating an admin account that can ONLY change user passwords (ONLY non admin ones)? It can't do anything else that way the security of it is low? Other then that I don't know, I use AD but haven't had to get around to changing passwords ![]() |
|
#135
|