|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread |
Rating: 
|
Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
August 5th, 2003, 05:49 PM
|
|||
|
|||
|
Modifying Active Directory passwords through PHP and IIS
I have written a script to reset a user's Windows password through PHP. I've used LDAP to access and modify other information in Active Directory, but am unable to change the user's password (unicodePwd) field.
The script connects and binds successfully, but throws the following error when it tries to ldap_modify the password attribute: Modify: Server is unwilling to perform. It has no problem modifying other Active Directory fields. I am running PHP 4.3 on a Windows 2000 machine running IIS 5.0 which connects to a domain controller that has an SSL certificate given by our domain's certificate authority server. The SSL certificate meets all of MS's requirements outlined in: URL and all of the SSL certificate requirements described in this pdf: URL I've seen other people connecting to LDAP with ldaps://domain.com. This, however, will always fail to bind for me. Connecting as ldap://domain.com (no 's') succeeds. However, the ldp.exe tool MS mentions appears to connect and communicate on the LDAPS port 636 flawlessly. The Windows system event logs indicate that SChannel handshaking is completed successfully. I am unsure if it is a problem in the SSL certificate, in PHP's configuration, or something else. I have searched extensively but have not found any definitive answer or guide to this problem on the internet. Any takers? John Van Atta
|
|
#2
December 17th, 2003, 04:04 PM
|
|||
|
|||
|
Re: Modifying Active Directory passwords through PHP and IIS
BTT anyone gotten this ssl-ldap thingy to work if so details please
 I made my own CA from the domain controller still no dice. Quote:
|
|
#3
March 3rd, 2004, 05:49 PM
|
|||
|
|||
|
You need to connect to the LDAP on port 636 (i.e. ldap://myserver:636) you also need to change your server to generate certificates. Visit URL for details on how to do this.
|
|
#4
March 26th, 2004, 01:15 PM
|
||||
|
||||
Boy, I sure would like to know how to update password in Active Directory using PHP. I guess no one knows?
|
|
#6
March 27th, 2004, 11:38 AM
|
||||
|
||||
|
Quote:
What do you need to know? if it's an ssl server you have to do as spae0022 says connect on port 636. Read here http://us2.php.net/manual/en/function.ldap-connect.php you'll see that you must have LDAP compiled with SSL AND php has to be complied with SSL also if not it won't work.
__________________
Miscellaneous Software Viper_SB Developershed E-Support Anyone else play chess? Challenge me
|
|
#7
March 28th, 2004, 11:25 PM
|
||||
|
||||
|
I have been working with PHP for about two years now, and web development even longer than that. PHP and LDAP is easy for me, but I just can't seem to figure out how to update the unicodePwd field in Active Directory.
I know it has to be over LDAPS, but I don't know how to turn the password into unicode. I just want to hear from someone who knows how to do update the unicodePwd field in Active Directory; a search in Google turns up nothing.
|
|
#8
March 29th, 2004, 11:20 AM
|
||||
|
||||
|
Quote:
ok that's clearer thanks, I haven't used active directory before so I didn't know they are stored in unicode. What you are most likly looking for is multibyte strings these allow you to convert charsets. You will have to install php with --enable-mbstring (if using windows there should be some similar option). PHP Code:
The above code should convert from ASCII to UTF-8 this should be what you need for your password. Then just write it to the ldap field. Could be missing some stuff haven't had a need to use it.
|
|
#9
March 29th, 2004, 11:31 AM
|
||||
|
||||
|
I will try that, but first, I understand now that I need to establish a secure LDAP connection before I can write to the unicodePwd field in Active Directory. As soon as I get LDAPS working, then I'll try again.
By the way, the code I used to encode the password is: PHP Code:
Anyway, thanx for the input...I'll play when I get a chance, and then I'll post to this thread for anyone interested...
|
|
#10
April 27th, 2004, 04:17 PM
|
|||
|
|||
|
Hello!
Were you able to get the code to work. I am also working on developing a web page to let users reset their passwords. If you have it in PHP that would be great. Thanks.
|
|
#11
May 11th, 2004, 08:07 PM
|
||||
|
||||
|
By the way, I tried also connecting to Active Directory on TCP 3269. Global Catalog servers use this port for LDAPS. However, I still was unsuccessful. More fiddling, and I'll keep you all posted...
These are the articles that have helped a little: http://support.microsoft.com/defaul...Ben-us%3B321051 http://support.microsoft.com/defaul...&NoWebContent=1
|
|
#12
June 1st, 2004, 09:51 PM
|
|||
|
|||
|
Any progress?
I have been following this thread and am wondering if any progress has been made on the problem? I am having the same issue as the original poster - Server is unwilling to perform. Any help is greatly appreciated...
|
|
#13
June 1st, 2004, 11:02 PM
|
||||
|
||||
|
No, I have done everything right. I can verify that I have a secure connection to LDAP and everything. I have an idea it's the algorythm - I just can't figure out what the correct encodeing is for the passwords...
|
|
#14
June 3rd, 2004, 01:20 PM
|
|||
|
|||
Workaround solution
I found a work around to the problem. This works well in my environment but may not for others. I found a perl script that does what we need here. A modified it to fit my needs like so: Code:
#!/usr/bin/perl -w
use strict;
use Net::LDAPS;
my($Ad, $mesg, $uid, $pass, $npass, $dn, $rtn, $binddn, $bindpw, $searchdn);
$uid = $ARGV[0];
$pass = $ARGV[1];
$binddn = $ARGV[2];
$bindpw = $ARGV[3];
$searchdn = $ARGV[4];
if (($uid eq '') or ($pass eq '')) {
exit 1;
}
# Bind to the AD server
$Ad = Net::LDAPS->new("YOURSERVER", version => 3) or exit 1;
$Ad->bind(dn => $binddn, password => $bindpw) or exit 1;
# Do a AD lookup to get the dn for this user
# then change their password.
$mesg = $Ad->search(base => $searchdn, filter => "cn=$uid");
if($mesg->count != 1) {
exit 1;
}
# Add quotes and uniCode
map { $npass .= "$_\000" } split(//, "\"$pass\"");
# Now change it
$dn = |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
