Clever Geek Handbook

PHP and IIS: LDAPS connection to change password

My goal is to change passwords in Active Directory through a web interface using PHP and IIS.

I followed the instructions http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/

Prior to following these instructions, I could not get an AD binding for the LDAPS connection, however after following these instructions it seems to have connected successfully, but the server does not want to execute error message appears when I try to change the value of "unicodePwd".

Note that the code below will successfully change any other user value in AD.

<?php

$ldaprdn  = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******";  // associated password

$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";

        $username = '******';

        $dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";

        $newPassword = 'blah';

        $newEntry = array('unicodePwd' => encodePwd($newPassword));

        print_r($newEntry);

        if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
            print "<p>succeded</p>";
        } else {
            print "<p>failed</p>";
        }

        print_r(ldap_error($ldapconn));

    } else {
        echo "LDAP bind failed...";
        print_r(ldap_error($ldapconn));
    }

}

// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
    $newpw = '';
    $pw = "\"" . $pw . "\"";
    $len = strlen($pw);
    for ($i = 0; $i < $len; $i++)
        $newpw .= "{$pw{$i}}\000";
    $newpw = base64_encode($newpw);
    return $newpw;
}

?>
+3


source to share


1 answer


DECIDE!!

It turns out that following Ashley Knowles' tutorial , I successfully established an SSL connection over LDAP, however the error occurred because of the password encoding.

Credit for successfully encrypting the password goes to hd42 on this forum post , which allowed me to change the code accordingly.



Therefore, once you have correctly installed the certificates etc. on the hard drive on the IIS server, this code will successfully change the user's password in Active Directory using PHP via the IIS web server (assuming the $ ldaprdn user has sufficient admin rights):

<?php

$ldaprdn  = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******";  // associated password

$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";

        $dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";

        $newPassword = 'blah';

        $newPassword = "\"" . $newPassword . "\""; 
        $newPass = mb_convert_encoding($newPassword, "UTF-16LE");

        $newEntry = array('unicodePwd' => $newPass);

        print_r($newEntry);

        if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
            print "<p>succeded</p>";
        } else {
            print "<p>failed</p>";
        }

        print_r(ldap_error($ldapconn));

    } else {
        echo "LDAP bind failed...";
        print_r(ldap_error($ldapconn));
    }

}
+4


source






More articles:


All Articles