使用PHP / COM / ADSI / LDAP更改AD密码

Question

I've been stumped on this for a couple days now. I've tried various solutions to no avail. Please help...

Problem: We have two domain controller, which are not under our management. We are able to connect via LDAP on port 389, but are not able to connect securely over port 636.

We are developing a system to allow a number of self-service facilities, one of which is a password recovery tool. This works up to the point of resetting the users password.

I have found some code via the PHP manual which appears to do what we need, but cant seem to get it to work.

This is the code I have thus far

if ($caller==="change"){
if (($newPword1 === NULL)||($newPword1 === "" )){ return false;}
if (($newPword2 === NULL)||($newPword2 === "" )){ return false;}
if ($newPword1 != $newPword2) {
  $result["ERROR"]="1";
  $result["DETAILS"]="Your new password and the confirmation must match!";
  exit();
}
try { 
    $adldap = new adLDAP(); 
} catch (adLDAPException $e) {
    $result["ERROR"]="1";
    $result["DETAILS"]="An error occurred in adLDAP";
    echo json_encode($result);
    exit();
}

$userinfo = $adldap->user()->info($username, array("givenname","dn","lockouttime"));
$res = $userinfo[0]["lockouttime"];
$userDN = $userinfo[0]["dn"];
$firstName = $userinfo[0]["givenname"];
$authUser = $adldap->authenticate($username,$currentPword);
if ($authUser){
    try {
        $adminUsername = $domain."\\".$adminUsername;
        $srvDN = "LDAP://".$server."/";

        try {
            $ADSI = new COM("LDAP:");
        } catch (exception $e){
            $result["ERROR"]="1";
            $result["ERRORmsg"]=$e->getMessage();
            echo json_encode($result);
            exit();
        }
        try {
            $user = $ADSI->OpenDSObject($srvDN.$userDN, $adminUsername, $adminPassword, 1);
        } catch (exception $e){
            $result["ERROR"]="2";
            $result["ERRORmsg"]= $e->getMessage();
            echo json_encode($result);
            exit();
        }
        try { //set password
            if ($user){
                $result["object"]="Success";
            } else {
                $result["object"]="Failed";
            }
            $user->SetPassword($newPword1);  //line:114 -> error occurring on this line
            $user->SetInfo();
            $result["ERROR"]="0";
            $result["DETAILS"]="Thank you $firstName[0]<br><strong>Your password has been changed</strong><br><br>This may take up to 30 minutes to take effect depending on your location";
        } catch (exception $e) {
            $result["ERROR"]="3";
            $result["ERRORmsg"]=$e." - ".$e->getMessage();
            $result["DETAILS"]="An Error Occurred.";
        }
        unset($user);
        unset($ADSI);
    } catch (exception $e){
        $result["ERROR"]="1";
        $result["DETAILS"]="An Error Occurred in the ADSI COM";
        echo json_encode($result);
        exit();
    }
} else {
    if ($res[0] != "0"){
        $result["ERROR"]="1";
        $result["DETAILS"]="Im sorry $firstName[0].<br>Your account is now locked.  Please contact the IT Service Desk for advice";
    } else {
        $result["ERROR"]="1";
        $result["DETAILS"]="Im sorry $firstName[0].<br>Your current password is incorrect";
    }
}

In testing $result["object"] returns "Success". But the code seems to fail on the $user->SetPassword($newPword1); line.

The error that is being returned is:

ERROR -> "3"
object -> "Success"
ERRORmsg -> "exception 'com_exception' with message '<b>Source:</b> Unknown<br/><b>Description:</b> Unknown' in C:\inetpub\wwwroot\<path>\<filename>.php:114
Stack trace:
#0 C:\inetpub\wwwroot\<path>\<filename>.php(114): variant->SetPassword('P@ssw0rd')
#1 {main} - <b>Source:</b> Unknown<br/><b>Description:</b> Unknown"
DETAILS -> "An Error Occurred."

The above code is in a php doc on an IIS Web Server which is called by a user viewable page over https

Are you able to offer any advice or guidance?

Answer 1

I'm doing pretty much the same thing and have now got it to work, at least when targeting a Server 2k8R2 DC.

I'm not sure why you're getting the failure you are but a couple of things I've found helpful are:

1) In your catch() handler retrieve the error returned from SetPassword(), process and display it as follows

$rawErr = $e->getCode();
$processedErr = $rawErr + 0x100000000;
printf( 'Error code 0x%x', $processedErr );

Then see if you can find it listed here . You may also find this helpful.

2) Try varying the SetPassword() call to ChangePassword(). This requires that you enter the old password too but has less stringent privilege requirements on the DC. If you can get that to work it could suggest that your problem with SetPassword() is that the admin account you're using to authenticate in the OpenDSObject() call does not have sufficient privileges on the target domain.

A word of warning though about ChangePassword() which is that, unlike SetPassword(), password policy is strictly enforced. So you need to take account of things like minimum password age and complexity, and also history. I came unstuck on that last one.

Very best of luck with it, Ian.

Answer 2

I've found that the OS you're using has a direct impact on using this code.

I was doing my development work on my desktop using a local version IIS (Windows 7 Enterprise, IIS 7.5) and kept running into this unknown error.

However, Once I tested my ADSI password reset code on an actual server (Windows Server 2008 R2), it worked flawlessly.

---

For reference: The error code I got (using Ian's answer) was 0x80020009 which appears to be related to this question: ( Registering a dll returns 0x80020009 error )

So whatever is going wrong appears to be deeper than ADSI and PHP/COM.

NOTE: Like ChrisM, I was able to use the ADSI connection to query information the failure only occurred when I tried to use SetPassword()