Page 1 of 1
PHP LDAP and Active Directory rides again
Posted: Wed Oct 23, 2002 10:47 am
by NoReason
Ok, well I was able to figure out a way to get a user reactiveated after adding them via ldap_add().
Using ldap_modify() and setting the following flag.
----------------->$extra["userAccountControl"][0] = 544;
544 active, 546 inactive.
Easy enough, no I can add users and activate them and deactivate them, but there still seems to be no way to set/re-set a password.
I even pulled all at the attributes off of a user object to determain if there is a value I can set the same way I set the userAccountControl, but no dice there.. I can see when it was changed, but still cannot change it via ldap.
Anyone have an answer?
run this up the flagpole again...
Posted: Thu Jan 09, 2003 9:04 am
by purephase
i'm having the same problem.
i believe the problem with password synch. through ldap is the slight modifications microsoft made to their ldap implementation in active directory.
unfortunately the rfc standard they decided to build the product on leaves the ticket generation method at the "developer's discretion", thus leaving microsoft the ability to lock out even their own web-based scripting language (asp) from changing user passwords in active directory.
the only way i could find to get around this was the following:
encode the password in a format that only the administrators know about about and dump the file (with account information) to a file on a share.
then run a remote script, which also knows the encryption method for the password, which grabs the file from the share and changes the account information accordingly.
it's sort of a hassle, but it works.
hope this helps.
but, if anyone else knows a way to get around the password hashing in active directory and make it work with standard ldap queries/binds...
please respond!
p.
LDAP and VB
Posted: Fri Jan 10, 2003 9:15 pm
by NoReason
Well as it stands now, I am using ldap to sync between my SQL DB and AD for user adds/activations, deactivations etc..
For Password sync, i am having to do a seperate export to a VB script that does the password modifications.
And you are right, there is a knowledge base article about using ldap to sync with AD, but its example was done for VB... I have still yet to find a way to synch up using PHP
Posted: Sat Jan 11, 2003 12:41 am
by volka
I have no AD to access but maybe I can offer some hints.
- this is what I learned from knowledge base Q269190
- you need an SSL-connection to the server and this is what the php-manual has to say about ssl
To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and use ldaps://hostname/ as host parameter
- the "unicodePwd" attribute must be an unicode string and that's the part I can't figure out how to do in php
. The module uses BER-encoded values, so this should not be the problem, but how to build a unicode string.... There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.
The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.
maybe it helps, but I doubt it
