- mattrude / changepassword.php
- Saved searches
- Use saved searches to filter your results more quickly
- achinthagunasekara/AD_User_Password_Change_PHP
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
- About
- How to modify Active Directory passwords through PHP
mattrude / changepassword.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Thanks very much. It works well.
I wanted this!
Thank you very much! (from Japan)
I do not have anonymous binding feature , how to avoid Error E200 . Thanks
Saved me 🙂 Does the works as it should, thank you very much!
E201 — Your password cannot be change, please contact the administrator. Can you help me ?
E201 it means that your server might require a rootdn to change some ldap attributes. to do this specify your root dn by inserting this two variables in changePassword function
$rootdn = «cn=Manager,dc=mycompany,dc=com»;
$rootpwd = «mysecretkeys»;
approximately at line 93 insert the following code
/* And Finally, Change the password */
$entry = array();
$entry[«userPassword»] = «$encoded_newPassword»;
$r = ldap_bind($con,$rootdn,$rootpwd);
at line 95 modify the conditional statement into this
if ($r = ldap_modify($con,$user_dn,$entry) === false) $error = ldap_error($con);
$errno = ldap_errno($con);
$message[] = «E201 — Your password cannot be change, please contact the administrator.»;
$message[] = «$errno — $error»;
>
I keep getting the error «Error E101 — Current Username or Password is wrong.» even when my username and password are correct.
When I commented the line error_reporting(0), I get a warning in line 34 and it says «Warning: ldap_search(): Search: Bad search filter». For my ldap instance, I have modified line 34 to «$user_search = ldap_search($con,$dn,»(|(User Name=$user)(Email=$email_user))»);» and I supply the value for $email_user to the function.
Am I missing something? Any suggestions would be greatly appreciated. Thanks
Worked directly, this is timesaving thanks
Same problem with narayan8291.
I am using CentOS 7.
Are you sure «userPassword» is the correct attribute to change password ? I found many samples with the «unicodePwd» attribute ?
What’s the difference between these two fields ?
Could you add/insert Samba password linkage to this fine php? Something nicked from this would be OK by me:
function ntpasswd($Input) < // Convert the password from UTF8 to UTF16 (little endian) $Input=iconv('UTF-8','UTF-16LE',$Input); $MD4Hash=hash('md4',$Input); // Make it uppercase, not necessary, but it's common to do so with NTLM hashes $NTLMHash=strtoupper($MD4Hash); // Return the result return($NTLMHash); > function checknt($passwd, $hash)< return (ntpasswd($passwd) === strtoupper($hash)); > function sshapasswd($input)< mt_srand((double)(microtime(true) ^ posix_getpid())); $salt = pack("CCCC", mt_rand(0,255), mt_rand(0,255), mt_rand(0,255), mt_rand(0,255)); $passwd_sha1 = sha1($input . $salt, TRUE); $result = '' . base64_encode($passwd_sha1 . $salt); if (!checkssha($result, $input)) return null; else return $result; > function checkssha ($input, $passwd)< $orig = base64_decode(substr($input, 6)); $hash = substr($orig, 0, 20); $salt = substr($orig, 20, 4); if (sha1($passwd . $salt, TRUE) == $hash)< return TRUE; > else < return FALSE; > > function check_ldap_passwd($username, $passwd)< global $ldap, $ldap_host, $ldap_base; # Assume uid=username,searchbase $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); return @ldap_bind($ldap, 'uid=' . $username . ',' . $ldap_base, $passwd); > function change_ldap_passwd($username, $passwd, $new)< global $ldap, $ldap_base; if ($ldap == null)< // Odd, this should've been done already. if(!check_ldap_passwd($username, $passwd)) return NULL; > // Get the account's info $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $obj = null; // Does this account already have objectClass: sambaSamAccount? if(!ldap_compare($ldap, $userdn, 'objectClass', 'sambaSamAccount'))< // Have to get other objectClass values, too. $object = ldap_get_attributes($ldap, $entry); unset($object['objectClass']['count']); $obj['objectClass'] = $object['objectClass']; $obj['objectClass'][] = 'sambaSamAccount'; > $now = time(); $obj['userPassword'] = sshapasswd($new); $obj['sambaNTPassword'] = ntpasswd($new); $obj['sambaPwdLastSet'] pl-s1">$now"; return @ldap_modify($ldap, $userdn, $obj); > function change_ldap_passwd_admin($username, $passwd)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; if ($ldap == null)< // Odd, this should've been done already. $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > > // Get the account's info $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $obj = null; // Does this account already have objectClass: sambaSamAccount? if(!ldap_compare($ldap, $userdn, 'objectClass', 'sambaSamAccount'))< // Have to get other objectClass values, too. $object = ldap_get_attributes($ldap, $entry); unset($object['objectClass']['count']); $obj['objectClass'] = $object['objectClass']; $obj['objectClass'][] = 'sambaSamAccount'; > $obj['userPassword'] = sshapasswd($passwd); $obj['sambaNTPassword'] = ntpasswd($passwd); echo "ssh: " . $obj['userPassword'] . " nt: " . $obj['sambaNTPassword']; return @ldap_modify($ldap, $userdn, $obj); > function check_nt_passwd($username, $password)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $object = ldap_get_attributes($ldap, $entry); if (isset($object['sambaNTPassword']))< return checknt($password, $object['sambaNTPassword'][0]); > else < return null; > > function check_ldap_user($username)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; if ($ldap == null)< // Odd, this should've been done already. $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > > $res = @ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); return @ldap_count_entries($ldap, $res) == 1; >
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Active Directory User Password Change PHP
achinthagunasekara/AD_User_Password_Change_PHP
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
#PHP Active Directory User Password Change Script
Archie Gunasekara 01.05.2015
- Make sure your PHP install has both the ldap and openssl extensions enabled.
- Windows/Linux Procedure
- Verify the ldap.conf file settings.
- For Windows, verify that the C:\openldap\sysconf\ldap.conf file exists.
- For Linux, verify that the /etc/openldap/ldap.conf file exists. If it does not, create it.
- For both Linux and Windows, the ldap.conf file should contain this line: ** -TLS_REQCERT never
- If you want php to verify the ldap server’s ssl certificate with the Certificate Authority that issued the certificate, you need to put the root certificate here:
- Export the trusted root Certificate. (For details, see Step 1 in How to test LDAP over SSL).
- Use this command to convert the DER to PEM:
- openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM
- On Windows you can download openssl binaries from these two sites:
- http://gnuwin32.sourceforge.net/packages.html
- http://www.ShininglightPro.com/
- Now copy the rootcert.pem to the certs folder:
- For Linux, /etc/openldap/cert/rootcert.pem
- For Windows, C:\openldap\sysconf\certs\rootcert.pem
- For both Linux and Windows, the ldap.conf file should contain this line:
- (Linux) TLS_CACERT /etc/openldap/cert/rootcert.pem
- (Windows) TLS_CACERT c:\OpenLDAP\sysconf\certs\rootcert.pem
About
Active Directory User Password Change PHP
How to modify Active Directory passwords through PHP
The secret is keep in Active Directory on a user object within the unicodePwd attribute. This attribute is written under some restricted conditions, however it can’t be accessible, but the value of this attribute can be modify or alter.
In order to alter this attribute, you must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.
Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:
- The password is at least six characters long.
- The password contains characters from at least three of the following five categories:
- English uppercase characters (A – Z)
- English lowercase characters (a – z)
- Base 10 digits (0 – 9)
- Non-alphanumeric (For example: !, $, #, or %)
- Unicode characters
PHP code as follows:
function create_ldap_connection() $ip = «Ad server IP»;
$ldaps_url = «ldaps://$ip»;
$port = 636;$ldap_conn = ldap_connect( $ldaps_url, $port ) or die(«Sorry! Could not connect to LDAP server ($ip)»);
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
$username = «AdminUserName»;
$password = «AdminPassword»;
$binddn = «CN=Administrator,CN=Users,DC=TestDomain,DC=local»;$result = ldap_bind( $ldap_conn, $binddn, $password ) or die(«
Error: Couldn’t bind to server using provided credentials!»);if($result) return $ldap_conn;
> else die(«
Error: Couldn’t bind to server with supplied credentials!»);
>
>function get_user_dn( $ldap_conn, $user_name ) /* Write the below details as per your AD setting */
$basedn = «DC=AD Test,DC=Local»;
/* Search the user details in AD server */
$searchResults = ldap_search( $ldap_conn, $basedn, $user_name );
if ( !is_resource( $searchResults ) )
die(‘Error in search results.’);/* Get the first entry from the searched result */
$entry = ldap_first_entry( $ldap_conn, $searchResults );
return ldap_get_dn( $ldap_conn, $entry );
>function pwd_encryption( $newPassword ) $newPassword = «\»» . $newPassword . «\»»;
$len = strlen( $newPassword );
$newPassw = «»;
for ( $i = 0; $i