使用 PHP 将用户密码添加到 AD

Question

My API (wrote in PHP) needs to register a new user in an AD. It's like the userPassword attribute does not set the password of the user (so he cannot log in).

Things I've tried :

• Send the password in plain text : nOK
• Send the password with Base64 encoding : nOK

I've read an article ( see here ) about unicodePwd and the use of LDAPS, but I'm not really sure how to implement this.

I'm actually working with a non-TLS LDAP connection (it's on a local network so I don't need it) on Win2k16 (latest version).

Domain is secureconnect.online (in my code it's .local but don't mind about it).

Here's my code :

public function addUser()
{
// LDAP variables
$ldap_username = $this->ldap_creds['username'];
$ldap_password = $this->ldap_creds['password'];
$ldapuri = $this->ldap_creds['uri'];

// LDAP connection
$link_id = ldap_connect($ldapuri);
if ($link_id) {

    ldap_set_option($link_id, LDAP_OPT_PROTOCOL_VERSION, 3);

    ldap_bind($link_id, $ldap_username, $ldap_password);

    $lastname = strtolower($this->validFormData[0]);
    $firstname = strtolower($this->validFormData[1]);

    $username = $firstname . $lastname;
    $display_name = ucwords($firstname) . " " . ucwords($lastname);

    $unhashed_pass = $this->validFormData[8];
    $encoded_newPassword = "{SHA}" . base64_encode(pack("H*", sha1($unhashed_pass)));

    $adduserAD["cn"] = $username;
    $adduserAD["givenname"] = ucwords($firstname);
    $adduserAD["sn"] = ucwords($lastname);
    $adduserAD["sAMAccountName"] = $username;
    $adduserAD['userPrincipalName'] = $this->validFormData[2];
    $adduserAD["objectClass"] = "user";
    $adduserAD["displayname"] = $display_name;
    $adduserAD["userPassword"] = $encoded_newPassword;
    $adduserAD["userAccountControl"] = "544";
    $adduserAD['postalCode'] = $this->validFormData[5];
    // Add city
    $adduserAD['l'] = $this->validFormData[6];
    // Add street address
    $adduserAD['streetAddress'] = $this->validFormData[4];

    $dn = 'OU=Users-VPN,DC=secureconnect,DC=local';
    $base_dn = 'cn=' . $adduserAD['cn'] . ',' . $dn;

    $req = ldap_add($link_id, $base_dn, $adduserAD);
    if ($req) {
        $this->result = $username;
        ldap_close($link_id);
    } else {
        $this->result = '{"error":"Contact Administrator"}';
    }
} else {
    $this->result = '{"error":"Cannot Connect To Ldap Server"}';
}
return $this->result;
}

Thank's in advance !

EDIT : So, I've installed an AD LDS with a trusted root certificate. Now when I'm trying to connect with TLS to the server through my API, I'm stuck at this error :

Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server

Here's the code :

/**
 * Method used to add and user to an LDAP annuary.
 * @return bool|string
 */
public function addUser()
{
    // LDAP variables
    $ldap_username = $this->ldap_creds['username'];
    $ldap_password = $this->ldap_creds['password'];
    $ldapuri = $this->ldap_creds['uri'];

    // Connexion LDAP
    $link_id = ldap_connect($ldapuri);
    if ($link_id) {

        ldap_set_option($link_id, LDAP_OPT_PROTOCOL_VERSION, 3);

        ldap_start_tls($link_id);
        echo "yeet";

        ldap_bind($link_id, $ldap_username, $ldap_password);

Everything beyond this snippet is the same as above.

What should I do ? Do I need to import the certificate to the Web server ?

Answer 1

We have some documentation that explains the process and requirements for using LDAP for Setting and Changing Microsoft Active Directory Passwords

• Yes you need encrypted connection
• By Default you need to use UnicodePwd (unless you Enable UserPassword in Microsoft Active Directory )

And there is a sample in JAVA that shows how we have performed the operation. Usually it works out best to create the user and then set the UnicodePwd value. We are not real sure why this is the case but issues have been encountered when attempting to both in one operation.

Additionally, often depending on your Microsoft Active Directory settings users are created as disabled and may need to be enabled to be effective.