使用LDAP / PHP / IIS / SSL更改Active Directory中的密码 [英] Change Password in Active Directory using LDAP/PHP/IIS/SSL

查看:206
本文介绍了使用LDAP / PHP / IIS / SSL更改Active Directory中的密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

首先,这可能不是一个编程问题,更多的是我如何配置LDAPS问题,但这里... ...

First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes...

背景信息:

我有两台Windows 2008 R2服务器。一个是带有Active Directory(AD)的域控制器(DC),我想通过LDAP与之通信。这个名为TestBox.TestDomain.local。另一台服务器正在运行IIS,PHP(带有ldap和openssl)和mySQL。

I have two Windows 2008 R2 servers. One is a domain controller (DC) with Active Directory (AD) that I want to communicate with via LDAP. This one is named TestBox.TestDomain.local. The other server is running IIS, PHP (with ldap and openssl), and mySQL.

什么是/不工作

我可以成功连接到DC不安全的端口389,并将数据读/写到AD。我不能做的是更改或设置用户密码,因为这需要使用LDAPS(LDAP w / SSL)通过端口636进行安全连接。

I can successfully connect to the DC unsecured over port 389 and read/write data to AD. What I can't do is change or set user passwords since this requires a secure connection using LDAPS (LDAP w/ SSL) over port 636.

我是什么需要帮助:

我尝试使用信息安装Active Directory证书服务(AD CS)并将DC配置为证书颁发机构(CA)在此处找到: http://technet.microsoft.com/en -us / library / cc770357(WS.10).aspx 但无论我尝试什么,我都无法通过LDAPS连接工作。

I have tried installing Active Directory Certificate Services (AD CS) and configuring the DC to act as a Certificate Authority (CA) using information found here: http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx but no matter what I try I can't get a connection over LDAPS to work.

示例代码:

创建LDAP连接

function ldapConnect(){
    $ip = "100.200.300.400";  // WAN IP goes here;
    $ldap_url = "ldap://$ip";
    $ldaps_url = "ldaps://$ip";
    $ldap_domain = 'testdomain.local';
    $ldap_dn = "dc=testdomain,dc=local";

    // Unsecure - WORKS
    $ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");  

    // Secure - DOESN'T WORK
    //$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");  

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $username = "AdminUser";
    $password = "AdminPass"; 

    // bind using admin username and password
    // could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
    $result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");

    if($result){
        return $ldap_conn;
    }else{
        die("<br>Error: Couldn't bind to server using supplied credentials!");
    }
}

将新用户添加到Active Directory

Adding a New User to Active Directory

function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
    $dn = "CN=$firstName $lastName,".$ou_dn;

    ## Create Unicode password
    $newPassword = "\"" . $pwdtxt . "\"";
    $len = strlen($newPassword);
    $newPassw = "";
    for($i=0;$i<$len;$i++) {
        $newPassw .= "{$newPassword{$i}}\000";
    }

    $ldaprecord['cn'] = $firstName." ".$lastName;
    $ldaprecord['displayName'] = $firstName." ".$lastName;
    $ldaprecord['name'] = $firstName." ".$lastName;
    $ldaprecord['givenName'] = $firstName;
    $ldaprecord['sn'] = $lastName;
    $ldaprecord['mail'] = $email;
    $ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
    $ldaprecord["sAMAccountName"] = $username;
    //$ldaprecord["unicodepwd"] = $newPassw;
    $ldaprecord["UserAccountControl"] = "544"; 

    $r = ldap_add($ldap_conn, $dn, $ldaprecord);

    // set password .. not sure if I need to base64 encode or not
    $encodedPass = array('userpassword' => base64_encode($newPassw));
    //$encodedPass = array('unicodepwd' => $newPassw);

    echo "Change password ";
    if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){ 
        echo "succeded";
    }else{
        echo "failed";
    }
}


推荐答案

两条建议:


  1. 在AD CS设置期间,在指定设置类型页面中,单击 Enterprise ,然后单击下一步。

  2. AD服务应该自己获取自己的证书,但如果它在Windows Server 2003中工作,则必须重新启动服务器才能使其正常工作。也许只需停止并重新启动W2K8 R2中的服务。

  1. During the AD CS setup, in the Specify Setup Type page, click Enterprise, and then click Next.
  2. AD service is supposed to take himself his own certificate, but if it works like in Windows server 2003, you must reboot the server to make it work. Perhaps just stop and restart the service in W2K8 R2.

此外,您可以尝试构建证书并将其安装在AD服务帐户,就像您可以使用ADAM一样完成。

Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM.

这篇关于使用LDAP / PHP / IIS / SSL更改Active Directory中的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆