Anyway to check if a user account is locked via PHP/LDAP?
Question
We've created an intranet site that requires the same password as the user's network login, so we use LDAP to check the username\/password.
5 answers
solution1
2 ACCPTED 2009-07-06 14:37:10
You need to connect to the LDAP using the LDAP functions in PHP and perform search/read to locate and get the information. You can read about it here: http://us3.php.net/manual/en/book.ldap.php
Find a sample code for reading entries:
if (!($ldap=ldap_connect($ldapip, $ldapport)))
{
die("Error:Unable to connect to the LDAP Server");
return;
}
if (!ldap_bind($ldap, $admindn, $adminpwd))
{
die("Error:Unable to bind to '$dn'!");
return;
}
$sr=ldap_search($ldap, $userbasedn, $filter);
$info = ldap_get_entries($ldap, $sr);
if($info["count"] > 0)
{
$entry = ldap_first_entry($ldap, $sr);
$return_array = ldap_get_attributes($ldap, $entry);
if($return_array)
{
for ($i=0;$i<$return_array['count'];$i++)
{
print($return_array[$i]);
print($return_array[$return_array[$i]][0]);
}
}
}
You might want to check for the fields lockoutTime in AD, nsaccountlock in LDAP and read them
solution2
0 2009-07-06 14:30:51
Without a standard "lockout" field I would use an LDAP browser to compare an account before and after a lockout. You can use LBE (LDAP Browser/Edit) to extract LDIF files of a user object and then use your favorite diff tool to compare them.
solution3
0 2009-11-04 11:34:50
Doesn't that defeat the idea of having a shared logon?
If your intranet site allows more trials than the network login, it can be used to find the password for a user.
solution4
0 2017-09-25 02:18:46
One of AD profile attribute useraccountcontrol . This contains decimal value which can be converted into readable here;
- https://support.microsoft.com/en-us/kb/305144
- http://ananthdeodhar.com/php-active-directory-integration-get-useraccountcontrol-attributes/
Locked can be referring to multiple cases, normally
-
ACCOUNTDISABLE2 / 0x0002 (hexa) -
PASSWORD_EXPIRED8388608 / 0x800000 -
LOCKOUT16 / 0x0010
solution5
0 2022-01-22 02:19:23
It's 2022 and this is still a relevant question. I had to code similar logic to query an Active Directory and find out if a user account is locked. The accepted answer didn't really help me. Here is a sample code that worked for me:
function isAccountLocked($ldapconn, $userDn)
{
$read = ldap_read($ldapconn, $userDn, "(objectclass=*)", array("msds-user-account-control-computed")) or die("Not found");
$info = ldap_get_entries($ldapconn, $read);
$attributeValue = 0;
if (array_key_exists("0", $info)) {
if (array_key_exists("msds-user-account-control-computed", $info["0"])) {
if (array_key_exists("0", $info["0"]["msds-user-account-control-computed"])) {
$attributeValue = $info["0"]["msds-user-account-control-computed"]["0"];
}
}
}
return $attributeValue == 16 || $attributeValue == 8388608;
//16 - Account locked (by many unsuccessful login attempts)
//8388608 - Password Expired
//2 - Account disabled -> Not tested.
//check the docs here: https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-user-account-control-computed
}
Also, you could query msds-user-account-control-computed attribute using ldapsearch in Linux terminal. But, to show it in the result, you MUST include msds-user-account-control-computed in the filter. Otherwise, ldapsearch won't return by default. Check the example below:
ldapsearch -x -h activedirectoryhost.example.com -LLL -b "dc=example,dc=com" -D "CN=user,OU=SOME_OU,DC=example,DC=com" "(sAMAccountName=user)" -W cn msDS-User-Account-Control-Computed
Surprisingly enough, a powershell query will return a LockOut attribute that tells exactly what we want, but other ldap clients won't return it. A sample of powershell query would be as follows:
Get-ADUser user -Properties * | Select-Object LockedOut
Here are some other usefull links:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.