URL http://forums.devshed.com/showthread.php?t=74683&page=1
Cached Tuesday 21 of December, 2004 14:50:51 EST

This is a cached version of the page. (Click here to view the Google cache of the page instead.)

Modifying Active Directory passwords through PHP and IIS
DS HomeDev Shed | ASP Free | Dev Articles | Scripts | Dev Hardware | Dev Archives | SEO Chat | Dev Mechanic | Web Hosting
       LDAP Programming
 
 Forums: » Register « | User CP  |  Calendar  |  Members  |  FAQs  |  Archives  | Support  | 
 
 
User Name:
Password:
Remember me
 
Viewing: Dev Shed Forums > Databases > LDAP Programming > Modifying Active Directory passwords through PHP and IIS
Reply
 
Thread Tools Search this Thread Rating: Thread Rating: 2 votes, 5.00 average. Display Modes
  #1  
Old August 5th, 2003, 06:49 PM
johnvanatta johnvanatta is offline
Junior Member
 
Join Date: Aug 2003
Posts: 1
Modifying Active Directory passwords through PHP and IIS

I have written a script to reset a user's Windows password through PHP. I've used LDAP to access and modify other information in Active Directory, but am unable to change the user's password (unicodePwd) field.

The script connects and binds successfully, but throws the following error when it tries to ldap_modify the password attribute:

Modify: Server is unwilling to perform.

It has no problem modifying other Active Directory fields.

I am running PHP 4.3 on a Windows 2000 machine running IIS 5.0 which connects to a domain controller that has an SSL certificate given by our domain's certificate authority server.

The SSL certificate meets all of MS's requirements outlined in:

http://support.microsoft.com/defaul...Ben-us%3B321051

and all of the SSL certificate requirements described in this pdf:

http://www.w2k.vt.edu/docs/MSVT_Certificates.pdf

I've seen other people connecting to LDAP with ldaps://domain.com. This, however, will always fail to bind for me. Connecting as ldap://domain.com (no 's') succeeds.

However, the ldp.exe tool MS mentions appears to connect and communicate on the LDAPS port 636 flawlessly. The Windows system event logs indicate that SChannel handshaking is completed successfully.

I am unsure if it is a problem in the SSL certificate, in PHP's configuration, or something else.

I have searched extensively but have not found any definitive answer or guide to this problem on the internet.

Any takers?

John Van Atta
Reply With Quote
  #2  
Old December 17th, 2003, 05:04 PM
scott_77 scott_77 is offline
Junior Member
 
Join Date: Dec 2003
Posts: 1
Re: Modifying Active Directory passwords through PHP and IIS

BTT anyone gotten this ssl-ldap thingy to work if so details please I made my own CA from the domain controller still no dice.



Quote:
Originally posted by johnvanatta
I have written a script to reset a user's Windows password through PHP. I've used LDAP to access and modify other information in Active Directory, but am unable to change the user's password (unicodePwd) field.

The script connects and binds successfully, but throws the following error when it tries to ldap_modify the password attribute:

Modify: Server is unwilling to perform.

It has no problem modifying other Active Directory fields.

I am running PHP 4.3 on a Windows 2000 machine running IIS 5.0 which connects to a domain controller that has an SSL certificate given by our domain's certificate authority server.

The SSL certificate meets all of MS's requirements outlined in:

http://support.microsoft.com/defaul...Ben-us%3B321051

and all of the SSL certificate requirements described in this pdf:

http://www.w2k.vt.edu/docs/MSVT_Certificates.pdf

I've seen other people connecting to LDAP with ldaps://domain.com. This, however, will always fail to bind for me. Connecting as ldap://domain.com (no 's') succeeds.

However, the ldp.exe tool MS mentions appears to connect and communicate on the LDAPS port 636 flawlessly. The Windows system event logs indicate that SChannel handshaking is completed successfully.

I am unsure if it is a problem in the SSL certificate, in PHP's configuration, or something else.

I have searched extensively but have not found any definitive answer or guide to this problem on the internet.

Any takers?

John Van Atta
Reply With Quote
  #3  
Old March 3rd, 2004, 06:49 PM
spae0022 spae0022 is offline
Registered User
 
Join Date: Feb 2004
Posts: 2
You need to connect to the LDAP on port 636 (i.e. ldap://myserver:636) you also need to change your server to generate certificates. Visit http://www.logicdevelopment.net/help/ssl.html for details on how to do this.
Reply With Quote
  #4  
Old March 26th, 2004, 02:15 PM
MatthewClark's Avatar
MatthewClark MatthewClark is offline
Contributing User
 
Join Date: Aug 2003
Location: San Angelo, Texas (USA)
Posts: 196
Send a message via ICQ to MatthewClark Send a message via AIM to MatthewClark Send a message via Yahoo to MatthewClark
Angry

Boy, I sure would like to know how to update password in Active Directory using PHP. I guess no one knows?
__________________
InLesserTerms.net
Sometimes it takes a little cussin' to get things done right.
Reply With Quote
  #5  
Old March 26th, 2004, 06:54 PM
ldap4u's Avatar
ldap4u ldap4u is offline
Chris Larivee
 
Join Date: Sep 2003
Location: Lakewood, CO
Posts: 66
Send a message via AIM to ldap4u
Sorry - I haven't picked up PHP yet. I can do it in Perl, ASP and VB - but not in PHP ...

Best of luck ...
Reply With Quote
  #6  
Old March 27th, 2004, 12:38 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Hunting B-Con
 
Join Date: Jan 2001
Location: Canada
Posts: 2,586
Quote:
Originally Posted by MatthewClark
Boy, I sure would like to know how to update password in Active Directory using PHP. I guess no one knows?


What do you need to know? if it's an ssl server you have to do as spae0022 says connect on port 636. Read here http://us2.php.net/manual/en/function.ldap-connect.php you'll see that you must have LDAP compiled with SSL AND php has to be complied with SSL also if not it won't work.
__________________
Custom Monster Hosting
24/7 live toll free support
Miscellaneous Software
Viper_SB
Reply With Quote
  #7  
Old March 29th, 2004, 12:25 AM
MatthewClark's Avatar
MatthewClark MatthewClark is offline
Contributing User
 
Join Date: Aug 2003
Location: San Angelo, Texas (USA)
Posts: 196
Send a message via ICQ to MatthewClark Send a message via AIM to MatthewClark Send a message via Yahoo to MatthewClark
I have been working with PHP for about two years now, and web development even longer than that. PHP and LDAP is easy for me, but I just can't seem to figure out how to update the unicodePwd field in Active Directory.

I know it has to be over LDAPS, but I don't know how to turn the password into unicode. I just want to hear from someone who knows how to do update the unicodePwd field in Active Directory; a search in Google turns up nothing.
Reply With Quote
  #8  
Old March 29th, 2004, 12:20 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Hunting B-Con
 
Join Date: Jan 2001
Location: Canada
Posts: 2,586
Quote:
Originally Posted by MatthewClark
I have been working with PHP for about two years now, and web development even longer than that. PHP and LDAP is easy for me, but I just can't seem to figure out how to update the unicodePwd field in Active Directory.

I know it has to be over LDAPS, but I don't know how to turn the password into unicode. I just want to hear from someone who knows how to do update the unicodePwd field in Active Directory; a search in Google turns up nothing.


ok that's clearer thanks, I haven't used active directory before so I didn't know they are stored in unicode.

What you are most likly looking for is multibyte strings these allow you to convert charsets. You will have to install php with --enable-mbstring (if using windows there should be some similar option).

PHP Code:
$tmp = mb_convert_encoding('password', 'UTF-8', 'ASCII');


The above code should convert from ASCII to UTF-8 this should be what you need for your password. Then just write it to the ldap field. Could be missing some stuff haven't had a need to use it.
Reply With Quote
  #9  
Old March 29th, 2004, 12:31 PM
MatthewClark's Avatar
MatthewClark MatthewClark is offline
Contributing User
 
Join Date: Aug 2003
Location: San Angelo, Texas (USA)
Posts: 196
Send a message via ICQ to MatthewClark Send a message via AIM to MatthewClark Send a message via Yahoo to MatthewClark
I will try that, but first, I understand now that I need to establish a secure LDAP connection before I can write to the unicodePwd field in Active Directory. As soon as I get LDAPS working, then I'll try again.

By the way, the code I used to encode the password is:
PHP Code:
$user['unicodePwd'] = "{md5}".base64_encode(pack("H*",md5($_POST['newpassword'])));


Anyway, thanx for the input...I'll play when I get a chance, and then I'll post to this thread for anyone interested...
Reply With Quote
  #10  
Old April 27th, 2004, 05:17 PM
jtsagi jtsagi is offline
Registered User
 
Join Date: Apr 2004
Posts: 1
Hello!
Were you able to get the code to work. I am also working on developing a web page to let users reset their passwords. If you have it in PHP that would be great.

Thanks.
Reply With Quote
  #11  
Old May 11th, 2004, 09:07 PM
MatthewClark's Avatar
MatthewClark MatthewClark is offline
Contributing User
 
Join Date: Aug 2003
Location: San Angelo, Texas (USA)
Posts: 196
Send a message via ICQ to MatthewClark Send a message via AIM to MatthewClark Send a message via Yahoo to MatthewClark
By the way, I tried also connecting to Active Directory on TCP 3269. Global Catalog servers use this port for LDAPS. However, I still was unsuccessful. More fiddling, and I'll keep you all posted...

These are the articles that have helped a little:
http://support.microsoft.com/defaul...Ben-us%3B321051
http://support.microsoft.com/defaul...&NoWebContent=1
Reply With Quote
  #12  
Old June 1st, 2004, 10:51 PM
bwhaley bwhaley is offline
Registered User
 
Join Date: Jun 2004
Posts: 9
Any progress?

I have been following this thread and am wondering if any progress has been made on the problem? I am having the same issue as the original poster - Server is unwilling to perform. Any help is greatly appreciated...
Reply With Quote
  #13  
Old June 2nd, 2004, 12:02 AM
MatthewClark's Avatar
MatthewClark MatthewClark is offline
Contributing User
 
Join Date: Aug 2003
Location: San Angelo, Texas (USA)
Posts: 196
Send a message via ICQ to MatthewClark Send a message via AIM to MatthewClark Send a message via Yahoo to MatthewClark
No, I have done everything right. I can verify that I have a secure connection to LDAP and everything. I have an idea it's the algorythm - I just can't figure out what the correct encodeing is for the passwords...
Reply With Quote
  #14  
Old June 3rd, 2004, 02:20 PM
bwhaley bwhaley is offline
Registered User
 
Join Date: Jun 2004
Posts: 9
Thumbs up Workaround solution

I found a work around to the problem. This works well in my environment but may not for others.

I found a perl script that does what we need here. A modified it to fit my needs like so:

Code:
#!/usr/bin/perl -w

use strict;
use Net::LDAPS;

my($Ad, $mesg, $uid, $pass, $npass, $dn, $rtn, $binddn, $bindpw, $searchdn);

$uid = $ARGV[0];
$pass = $ARGV[1];
$binddn = $ARGV[2];
$bindpw = $ARGV[3];
$searchdn = $ARGV[4];

if (($uid eq '') or ($pass eq '')) {
    exit 1;
}


# Bind to the AD server

$Ad = Net::LDAPS->new("YOURSERVER", version => 3) or exit 1;
$Ad->bind(dn => $binddn, password => $bindpw) or exit 1; 
  

# Do a AD lookup to get the dn for this user
# then change their password.

$mesg = $Ad->search(base => $searchdn, filter => "cn=$uid");
if($mesg->count != 1) {
    exit 1;
}

# Add quotes and uniCode
map { $npass .= "$_\000" } split(//, "\"$pass\"");

# Now change it
$dn = $mesg->entry(0)->dn;

$rtn = $Ad->modify($dn, replace => { "unicodePwd" => $npass });
if($rtn->{'resultCode'} != 0) {
    exit 1;
}

exit 0;



Then you call it like so:

Code:
./changepw.pl accountCN NewPassword "AdminDN" AdminPassword "Search Base (i.e. DC=mydomain, DC=com)"


Then you can call the perl script from PHP and voila! The only bummer is that the passwords can temporarily be seen in the process table. I can think of numerous ways around it, perhaps sticking the passwords in a temporary file, changing the perl script to read them from the file, and deleting the file when you're done.

Anyway, hope that helps someone.
Reply With Quote
  #15  
Old June 3rd, 2004, 03:11 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Hunting B-Con
 
Join Date: Jan 2001
Location: Canada
Posts: 2,586
Here is the perl code converted to PHP. Let me know if it doesn't work. (if it doesn't then it's definity a problem with PHP)

PHP Code:
$uid = 'accountCN';
$newPassword = 'newpassword';
$bindDn = 'BindDN';
$bindPassword = 'BindPass';
$baseDn = 'dc=mysite,dc=com';
$protocolVersion = 3;

$ldap = ldap_connect('localhost');
if (!
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $protocolVersion))
{
    exit(
'Failed to set protocol version to '.$protocolVersion);
}
// bind anonymously so that we can verify if the server really is running
ldap_bind($ldap);
if (
ldap_errno($ldap) !== 0)
{
    exit(
'Could not connect to LDAP server');
}

// now bind with the correct username and password
ldap_bind($ldap, $bindDn, $bindPassword);
if (
ldap_errno($ldap) !== 0)
{
    exit(
'ERROR: '.ldap_error($ldap));
}

$searchResults = ldap_search($ldap, $baseDn, 'cn='.$uid);
// no matching records
if ($searchResults === false)
{
    exit(
'No user found');
}

if (!
is_resource($searchResults))
{
    exit(
'Error in search results.');
}

// create the unicode password
$len = strlen($newPassword);
$newPass = '"';
for (
$i = 0; $i < $len; $i++)
{
    
$newPass .= "{$newPassword{$i}}\000";
}
$newPass .= '"';

$entry = ldap_first_entry($ldap, $searchResults);
if (!
is_resource($entry))
{
    exit(
'Couldn\'t get entry');
}
$userDn = ldap_get_dn($ldap, $entry);

ldap_modify($ldap, $userDn, array('unicodePwd' => $newPass));
Reply With Quote
Reply


Viewing: Dev Shed Forums > Databases > LDAP Programming > Modifying Active Directory passwords through PHP and IIS
Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:

Similar Threads
Thread Thread Starter Forum Replies Last Post
Active directory groups and subgroups chemicalmess LDAP Programming 0 December 16th, 2004 11:41 AM
Retrieving passwords from Active Directory in PHP ddalton LDAP Programming 0 December 4th, 2004 03:59 PM
How to retrieve 100,000 records from Active directory using LDAP/JNDI rajds LDAP Programming 3 November 23rd, 2004 09:54 AM
Active Directory (Microsoft LDAP SDK) : Problem with ldap_bind_s chandola_nitin LDAP Programming 0 November 19th, 2004 08:42 AM
Accessing Active Directory logins through IIS windows authentication blees10 LDAP Programming 3 September 1st, 2004 08:34 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Forums:» Register « | User CP  |  Calendar  |  Members  |  FAQs  |  Archives | Support |
    
 



© 2001-2004. All rights reserved. (Privacy Policy) Dev Shed Cluster 5 hosted by HostwaySupport
vBulletin; copyright © 2000 - 2004 Jelsoft Enterprises Ltd.