[英]Change Password in Active Directory using LDAP/PHP/IIS/SSL
First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes... 首先,这可能不是编程问题,而是更多关于如何配置LDAPS问题,但是这里...
Background Info: 背景信息:
I have two Windows 2008 R2 servers. 我有两个Windows 2008 R2服务器。 One is a domain controller (DC) with Active Directory (AD) that I want to communicate with via LDAP. 一个是带有Active Directory(AD)的域控制器(DC),我想通过LDAP与之通信。 This one is named TestBox.TestDomain.local. 这是一个名为TestBox.TestDomain.local。 The other server is running IIS, PHP (with ldap and openssl), and mySQL. 另一台服务器正在运行IIS,PHP(带有ldap和openssl)和mySQL。
What is/isn't working: 什么是/不起作用的:
I can successfully connect to the DC unsecured over port 389 and read/write data to AD. 我可以通过端口389成功连接到不安全的DC,并可以将数据读/写到AD。 What I can't do is change or set user passwords since this requires a secure connection using LDAPS (LDAP w/ SSL) over port 636. 我无法更改或设置用户密码,因为这需要使用LDAPS(带SSL的LDAPS)通过端口636进行安全连接。
What I need help with: 我需要什么帮助:
I have tried installing Active Directory Certificate Services (AD CS) and configuring the DC to act as a Certificate Authority (CA) using information found here: http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx but no matter what I try I can't get a connection over LDAPS to work. 我尝试使用以下位置的信息来安装Active Directory证书服务(AD CS)并将DC配置为充当证书颁发机构(CA): http : //technet.microsoft.com/zh-cn/library/cc770357(WS。)。 10).aspx,但是无论我如何尝试,都无法通过LDAPS建立连接以进行工作。
Sample Code: 样例代码:
Creating the LDAP Connection 创建LDAP连接
function ldapConnect(){
$ip = "100.200.300.400"; // WAN IP goes here;
$ldap_url = "ldap://$ip";
$ldaps_url = "ldaps://$ip";
$ldap_domain = 'testdomain.local';
$ldap_dn = "dc=testdomain,dc=local";
// Unsecure - WORKS
$ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");
// Secure - DOESN'T WORK
//$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$username = "AdminUser";
$password = "AdminPass";
// bind using admin username and password
// could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
$result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");
if($result){
return $ldap_conn;
}else{
die("<br>Error: Couldn't bind to server using supplied credentials!");
}
}
Adding a New User to Active Directory 将新用户添加到Active Directory
function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
$dn = "CN=$firstName $lastName,".$ou_dn;
## Create Unicode password
$newPassword = "\"" . $pwdtxt . "\"";
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++) {
$newPassw .= "{$newPassword{$i}}\000";
}
$ldaprecord['cn'] = $firstName." ".$lastName;
$ldaprecord['displayName'] = $firstName." ".$lastName;
$ldaprecord['name'] = $firstName." ".$lastName;
$ldaprecord['givenName'] = $firstName;
$ldaprecord['sn'] = $lastName;
$ldaprecord['mail'] = $email;
$ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
$ldaprecord["sAMAccountName"] = $username;
//$ldaprecord["unicodepwd"] = $newPassw;
$ldaprecord["UserAccountControl"] = "544";
$r = ldap_add($ldap_conn, $dn, $ldaprecord);
// set password .. not sure if I need to base64 encode or not
$encodedPass = array('userpassword' => base64_encode($newPassw));
//$encodedPass = array('unicodepwd' => $newPassw);
echo "Change password ";
if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){
echo "succeded";
}else{
echo "failed";
}
}
Just two pieces of advice: 仅有两点建议:
Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM. 之后,您可以尝试构建证书并将其安装在AD服务帐户上,就像可以通过ADAM查找完成一样。
Did you create a certificate request for the secure Ldap with the correct OIDs? 您是否使用正确的OID为安全Ldap创建了证书请求?
here's my inf file: 这是我的inf文件:
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=my-server.blahblah.com" ; must be the FQDN of host
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 4096 ; Common key sizes: 512, 1024, 2048,
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xF8 ; Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.8.2.2
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
OID=1.3.6.1.5.5.7.3.3
OID=1.3.6.1.5.5.7.3.4
OID=1.3.6.1.5.5.7.3.5
OID=1.3.6.1.5.5.7.3.6
OID=1.3.6.1.5.5.7.3.7
OID=1.3.6.1.5.5.7.3.8
OID=1.3.6.1.5.5.7.3.9
OID=1.3.6.1.4.1.311.10.3.4
OID=1.3.6.1.4.1.311.54.1.2
[RequestAttributes]
CertificateTemplate = MySpecialTemplate ;Omit line if CA is a stand-alone CA
SAN="my-server.blahblah.com"
YOU SHOULD MAKE A TEMPLATE ON THE CA USING THE 2003 (NOT ALL MICROSOFT PRODUCTS CAN UTILIZE 2008 TEMPLATES -- I KNOW STUPID HUH) COPY IT FROM DOMAIN CONTROLLER AND THROW THE KITCHEN SINK AT THE OIDS 您应该使用2003作为CA的模板(并不是所有的微软产品都可以利用2008的模板-我知道是很愚蠢的)从域控制器中复制并把厨房的水槽扔到OID上
Just make your connection as trust all. 只需使您的连接成为所有人的信任即可。 Then it will no longer need certificates. 然后它将不再需要证书。 Check out javax.net.sslTrustManager
. 检出javax.net.sslTrustManager
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.