PHP LDAP and Active Directory rides again

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

PHP LDAP and Active Directory rides again

Post by NoReason »

Ok, well I was able to figure out a way to get a user reactiveated after adding them via ldap_add().

Using ldap_modify() and setting the following flag.
----------------->$extra["userAccountControl"][0] = 544;
544 active, 546 inactive.

Easy enough, no I can add users and activate them and deactivate them, but there still seems to be no way to set/re-set a password.

I even pulled all at the attributes off of a user object to determain if there is a value I can set the same way I set the userAccountControl, but no dice there.. I can see when it was changed, but still cannot change it via ldap.

Anyone have an answer?
purephase
Forum Newbie
Posts: 1
Joined: Thu Jan 09, 2003 9:04 am

run this up the flagpole again...

Post by purephase »

i'm having the same problem.

i believe the problem with password synch. through ldap is the slight modifications microsoft made to their ldap implementation in active directory.

unfortunately the rfc standard they decided to build the product on leaves the ticket generation method at the "developer's discretion", thus leaving microsoft the ability to lock out even their own web-based scripting language (asp) from changing user passwords in active directory.

the only way i could find to get around this was the following:

encode the password in a format that only the administrators know about about and dump the file (with account information) to a file on a share.

then run a remote script, which also knows the encryption method for the password, which grabs the file from the share and changes the account information accordingly.

it's sort of a hassle, but it works.

hope this helps.

but, if anyone else knows a way to get around the password hashing in active directory and make it work with standard ldap queries/binds...

please respond! :)

p.
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

LDAP and VB

Post by NoReason »

Well as it stands now, I am using ldap to sync between my SQL DB and AD for user adds/activations, deactivations etc..

For Password sync, i am having to do a seperate export to a VB script that does the password modifications.

And you are right, there is a knowledge base article about using ldap to sync with AD, but its example was done for VB... I have still yet to find a way to synch up using PHP
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I have no AD to access but maybe I can offer some hints.
  • this is what I learned from knowledge base Q269190
  • you need an SSL-connection to the server and this is what the php-manual has to say about ssl
    To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter
  • the "unicodePwd" attribute must be an unicode string and that's the part I can't figure out how to do in php 8O . The module uses BER-encoded values, so this should not be the problem, but how to build a unicode string....
  • There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.
  • The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.
maybe it helps, but I doubt it :(
Post Reply