My aim is to change passwords in Active Directory through a web interface using PHP & IIS.
I have been following the instructions on http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
Prior to following these instructions I could not get a bind to the AD for an LDAPS connection, however after following these instructions it seems to successfully connect, yet gives an error of "Server is unwilling to perform" when I attempt to change the "unicodePwd" value.
Please note that the code below will successfully change any other value of a user in the AD.
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$username = '******';
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newEntry = array('unicodePwd' => encodePwd($newPassword));
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}
// Credit: http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
function encodePwd($pw) {
$newpw = '';
$pw = "\"" . $pw . "\"";
$len = strlen($pw);
for ($i = 0; $i < $len; $i++)
$newpw .= "{$pw{$i}}\000";
$newpw = base64_encode($newpw);
return $newpw;
}
?>
SOLVED!!
It turns out that by following the Ashley Knowles tutorial, I was successfully establishing a SSL connection over LDAP, however the error was occurring because of the password encoding.
The credit for the successful password encoding goes to hd42 on this forum post, which enabled me to modify my code accordingly.
Therefore, once you have correctly installed the certificates etc in the harddrive on the IIS server, this code will successfully modify a user password in Active Directory using PHP through an IIS web server (assuming that the $ldaprdn user has sufficient admin rights):
<?php
$ldaprdn = 'CN=Admin User,OU=*******,OU=Staff,OU=********,DC=********,DC=*******,DC=******,DC=*****';
$ldappass = "*******"; // associated password
$ldapconn = ldap_connect("ldaps://***.***.***.***:636" ) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$dn = "CN=Bob Smith,OU=******,OU=******,OU=******,DC=******,DC=******,DC=******,DC=******";
$newPassword = 'blah';
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$newEntry = array('unicodePwd' => $newPass);
print_r($newEntry);
if(ldap_mod_replace($ldapconn, $dn, $newEntry)) {
print "<p>succeded</p>";
} else {
print "<p>failed</p>";
}
print_r(ldap_error($ldapconn));
} else {
echo "LDAP bind failed...";
print_r(ldap_error($ldapconn));
}
}