Главная » Языки программирования

Php change ad user password

Содержание
  1. mattrude / changepassword.php
  2. Saved searches
  3. Use saved searches to filter your results more quickly
  4. achinthagunasekara/AD_User_Password_Change_PHP
  5. Name already in use
  6. Sign In Required
  7. Launching GitHub Desktop
  8. Launching GitHub Desktop
  9. Launching Xcode
  10. Launching Visual Studio Code
  11. Latest commit
  12. Git stats
  13. Files
  14. README.md
  15. About
  16. How to modify Active Directory passwords through PHP

mattrude / changepassword.php

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

Thanks very much. It works well.

I wanted this!
Thank you very much! (from Japan)

I do not have anonymous binding feature , how to avoid Error E200 . Thanks

Saved me 🙂 Does the works as it should, thank you very much!

E201 — Your password cannot be change, please contact the administrator. Can you help me ?

E201 it means that your server might require a rootdn to change some ldap attributes. to do this specify your root dn by inserting this two variables in changePassword function

$rootdn = «cn=Manager,dc=mycompany,dc=com»;
$rootpwd = «mysecretkeys»;

approximately at line 93 insert the following code

/* And Finally, Change the password */
$entry = array();
$entry[«userPassword»] = «$encoded_newPassword»;
$r = ldap_bind($con,$rootdn,$rootpwd);

at line 95 modify the conditional statement into this

if ($r = ldap_modify($con,$user_dn,$entry) === false) $error = ldap_error($con);
$errno = ldap_errno($con);
$message[] = «E201 — Your password cannot be change, please contact the administrator.»;
$message[] = «$errno — $error»;
>

I keep getting the error «Error E101 — Current Username or Password is wrong.» even when my username and password are correct.
When I commented the line error_reporting(0), I get a warning in line 34 and it says «Warning: ldap_search(): Search: Bad search filter». For my ldap instance, I have modified line 34 to «$user_search = ldap_search($con,$dn,»(|(User Name=$user)(Email=$email_user))»);» and I supply the value for $email_user to the function.

Am I missing something? Any suggestions would be greatly appreciated. Thanks

Worked directly, this is timesaving thanks

Same problem with narayan8291.
I am using CentOS 7.

Are you sure «userPassword» is the correct attribute to change password ? I found many samples with the «unicodePwd» attribute ?
What’s the difference between these two fields ?

Could you add/insert Samba password linkage to this fine php? Something nicked from this would be OK by me:

function ntpasswd($Input) < // Convert the password from UTF8 to UTF16 (little endian) $Input=iconv('UTF-8','UTF-16LE',$Input); $MD4Hash=hash('md4',$Input); // Make it uppercase, not necessary, but it's common to do so with NTLM hashes $NTLMHash=strtoupper($MD4Hash); // Return the result return($NTLMHash); > function checknt($passwd, $hash)< return (ntpasswd($passwd) === strtoupper($hash)); > function sshapasswd($input)< mt_srand((double)(microtime(true) ^ posix_getpid())); $salt = pack("CCCC", mt_rand(0,255), mt_rand(0,255), mt_rand(0,255), mt_rand(0,255)); $passwd_sha1 = sha1($input . $salt, TRUE); $result = '' . base64_encode($passwd_sha1 . $salt); if (!checkssha($result, $input)) return null; else return $result; > function checkssha ($input, $passwd)< $orig = base64_decode(substr($input, 6)); $hash = substr($orig, 0, 20); $salt = substr($orig, 20, 4); if (sha1($passwd . $salt, TRUE) == $hash)< return TRUE; > else < return FALSE; > > function check_ldap_passwd($username, $passwd)< global $ldap, $ldap_host, $ldap_base; # Assume uid=username,searchbase $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); return @ldap_bind($ldap, 'uid=' . $username . ',' . $ldap_base, $passwd); > function change_ldap_passwd($username, $passwd, $new)< global $ldap, $ldap_base; if ($ldap == null)< // Odd, this should've been done already. if(!check_ldap_passwd($username, $passwd)) return NULL; > // Get the account's info $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $obj = null; // Does this account already have objectClass: sambaSamAccount? if(!ldap_compare($ldap, $userdn, 'objectClass', 'sambaSamAccount'))< // Have to get other objectClass values, too. $object = ldap_get_attributes($ldap, $entry); unset($object['objectClass']['count']); $obj['objectClass'] = $object['objectClass']; $obj['objectClass'][] = 'sambaSamAccount'; > $now = time(); $obj['userPassword'] = sshapasswd($new); $obj['sambaNTPassword'] = ntpasswd($new); $obj['sambaPwdLastSet'] pl-s1">$now"; return @ldap_modify($ldap, $userdn, $obj); > function change_ldap_passwd_admin($username, $passwd)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; if ($ldap == null)< // Odd, this should've been done already. $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > > // Get the account's info $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $obj = null; // Does this account already have objectClass: sambaSamAccount? if(!ldap_compare($ldap, $userdn, 'objectClass', 'sambaSamAccount'))< // Have to get other objectClass values, too. $object = ldap_get_attributes($ldap, $entry); unset($object['objectClass']['count']); $obj['objectClass'] = $object['objectClass']; $obj['objectClass'][] = 'sambaSamAccount'; > $obj['userPassword'] = sshapasswd($passwd); $obj['sambaNTPassword'] = ntpasswd($passwd); echo "ssh: " . $obj['userPassword'] . " nt: " . $obj['sambaNTPassword']; return @ldap_modify($ldap, $userdn, $obj); > function check_nt_passwd($username, $password)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > $res = ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); if (ldap_count_entries($ldap, $res) > 1)< die('Something is wrong- more than one search result.'); > else if (ldap_count_entries($ldap, $res) == 0)< die('Something is wrong- You logged in but I can\'t find you anymore.'); > $entry = ldap_first_entry($ldap, $res); $userdn = ldap_get_dn($ldap, $entry); $object = ldap_get_attributes($ldap, $entry); if (isset($object['sambaNTPassword']))< return checknt($password, $object['sambaNTPassword'][0]); > else < return null; > > function check_ldap_user($username)< global $ldap, $ldap_base, $ldap_host, $admin_dn, $admin_pw; if ($ldap == null)< // Odd, this should've been done already. $ldap = ldap_connect($ldap_host); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!@ldap_bind($ldap, $admin_dn, $admin_pw))< my_die("An error occurred."); > > $res = @ldap_search($ldap, 'uid=' . $username . ',' . $ldap_base, '(objectClass=posixAccount)'); return @ldap_count_entries($ldap, $res) == 1; >

Источник

Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Active Directory User Password Change PHP

achinthagunasekara/AD_User_Password_Change_PHP

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

Git stats

Files

Failed to load latest commit information.

README.md

#PHP Active Directory User Password Change Script

Archie Gunasekara 01.05.2015

  1. Make sure your PHP install has both the ldap and openssl extensions enabled.
  2. Windows/Linux Procedure
  3. Verify the ldap.conf file settings.
  4. For Windows, verify that the C:\openldap\sysconf\ldap.conf file exists.
  5. For Linux, verify that the /etc/openldap/ldap.conf file exists. If it does not, create it.
  6. For both Linux and Windows, the ldap.conf file should contain this line: ** -TLS_REQCERT never
  7. If you want php to verify the ldap server’s ssl certificate with the Certificate Authority that issued the certificate, you need to put the root certificate here:
  8. Export the trusted root Certificate. (For details, see Step 1 in How to test LDAP over SSL).
  9. Use this command to convert the DER to PEM:
  10. openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM
  11. On Windows you can download openssl binaries from these two sites:
  12. http://gnuwin32.sourceforge.net/packages.html
  13. http://www.ShininglightPro.com/
  14. Now copy the rootcert.pem to the certs folder:
  15. For Linux, /etc/openldap/cert/rootcert.pem
  16. For Windows, C:\openldap\sysconf\certs\rootcert.pem
  17. For both Linux and Windows, the ldap.conf file should contain this line:
  18. (Linux) TLS_CACERT /etc/openldap/cert/rootcert.pem
  19. (Windows) TLS_CACERT c:\OpenLDAP\sysconf\certs\rootcert.pem

About

Active Directory User Password Change PHP

Источник

How to modify Active Directory passwords through PHP

The secret is keep in Active Directory on a user object within the unicodePwd attribute. This attribute is written under some restricted conditions, however it can’t be accessible, but the value of this attribute can be modify or alter.
In order to alter this attribute, you must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:

Оцените статью
© 2024 Программирование