I am creating a user in Active Directory using PHP and create it correctly, but now I need to check the options shown in the image from the same PHP code, I also attach an example of how the user created in Active Directory using PHP.
Checks that I need to do using PHP
User creation code
<?php
// Username used to connect to the server
$username = "administrator";
// Password of the user.
$password = "Password01";
// Domain used to connect to.
$domain = "nagara.ca";
// Proper username to connect with.
$domain_username = "$username" . "#" . $domain;
// User directory. Such as all users are placed in
// the Users directory by default.
$user_dir = "OU=Students,DC=nagara,DC=ca";
// Either an IP or a domain.
$ldap_server = "192.168.100.2";
// Get a connection
$ldap_conn = ldap_connect($ldap_server);
// Set LDAP_OPT_PROTOCOL_VERSION to 3
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die ("Could not set LDAP Protocol version");
// Authenticate the user and link the resource_id with
// the authentication.
if($ldapbind = ldap_bind($ldap_conn, $domain_username, $password) == true)
{
// Setup the data that will be used to create the user
// This is in the form of a multi-dimensional
// array that will be passed to AD to insert.
$adduserAD["cn"] = "testuser";
$adduserAD["givenname"] = "Test";
$adduserAD["sn"] = "User";
$adduserAD["sAMAccountName"] = "testuser";
$adduserAD['userPrincipalName'] = "testuser#nagara.ca";
$adduserAD["objectClass"] = "user";
$adduserAD["displayname"] = "Test User";
$adduserAD["userPassword"] = "Password01";
$adduserAD["userAccountControl"] = "544";
$base_dn = "cn=testuser,ou=students,DC=nagara,DC=ca";
// Attempt to add the user with ldap_add()
if(ldap_add($ldap_conn, $base_dn, $adduserAD) == true)
{
// The user is added and should be ready to be logged
// in to the domain.
echo "User added!<br>";
}else{
// This error message will be displayed if the user
// was not able to be added to the AD structure.
echo "Sorry, the user was not added.<br>Error Number: ";
echo ldap_errno($ldap_conn) . "<br />Error Description: ";
echo ldap_error($ldap_conn) . "<br />";
}
}else{
echo "Could not bind to the server. Check the username/password.<br />";
echo "Server Response:"
// Error number.
. "<br />Error Number: " . ldap_errno($ldap_conn)
// Error description.
. "<br />Description: " . ldap_error($ldap_conn);
}
// Always make sure you close the server after
// your script is finished.
ldap_close($ldap_conn);
?>
I hope you can support me.
Thank you very much.
Related
I want to set active user session limit in ldap using php code at the time of creating users.
$ldap_conn = ldap_connect($ldap_server);// connect ldap server
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die ("Could
not set LDAP Protocol version");
ldap_set_option($ldap_conn, LDAP_OPT_TIMELIMIT, 3) or die ("Could not set
LDAP Protocol version");
if($ldapbind = ldap_bind($ldap_conn, $username, $password) == true)
{ // bind the ldap if bind then set parameters
$adduserAD["cn"] = $name;
$adduserAD["givenname"] = $name;
$adduserAD["sn"] = 'Kumar';
$adduserAD["sAMAccountName"] = $name;
$adduserAD['userPrincipalName'] = $uname;// log on name
$adduserAD['initials'] = 'Mr';
$adduserAD["objectClass"] = "User";
$adduserAD["displayname"] = "Test User";
$adduserAD['mail'] = $email;// email
$adduserAD['description'] ='We are testing';
$adduserAD["userPassword"] = $pwd;
$adduserAD["userAccountControl"] = "66080"; //enable or disable user..512
66080 389,66048,636,544,
$base_dn = "cn=".$name.",OU=Netmc,DC=xyz,DC=local"; base domain name
// Attempt to add the user with ldap_add()
if(ldap_add($ldap_conn, $base_dn, $adduserAD) == true){// user creation
echo "User is created";
}
ldap_close($ldap_conn);
}else{
echo "Not connected with server";
}
User is created successfully but session time is not set. I don't how to
set session time limit in ldap at the of user creation. Please guide me to
solve this problem. Thanks in advance.
I tried much time to create a user in the group but could not have been. While I am able to create a user but not in a group. My Group name is RDP and Netmetric is the folder where I am creating a user.
if($ldapbind = ldap_bind($ldap_conn, $username, $password) == true)
{ // if ldap bind
$adduserAD["cn"] = $name;// Common name
$adduserAD["givenname"] = $name;
$adduserAD["sn"] = 'Kumar'; // Surname
$adduserAD["sAMAccountName"] = $name; // SamaAccountname declare here
$adduserAD['userPrincipalName'] = $name;
$adduserAD["objectClass"] = "User"; // Object class user
$adduserAD["displayname"] = "Test User";
$adduserAD['mail'] = $email;
$adduserAD["userPassword"] = $pwd; // set password here
$adduserAD["userAccountControl"] = "66080";
$base_dn = "cn=".$name.",ou=Netmetric,DC=ntop,DC=local";// base dn
// Attempt to add the user with ldap_add()
if(ldap_add($ldap_conn, $base_dn, $adduserAD) == true){
echo "User is created";
}
ldap_close($ldap_conn);
}else{
echo "Not connected with server";
}
Since you have a openldap tag on question, I'm assuming you are trying to add users in OpenLDAP database.
If that is the case you should get an error because sAMAccountName,userPrincipalName,userAccountControl attributes are not present in OpenLDAP schema.
I just cannot figure out what I'm doing wrong, I've scoured the web for answers but cannot find anything that works. Please can someone look at my code and tell me where I'm going wrong? If I comment out "objectclass" I get "server is unwilling to perform 53", if I change the OU to something silly (the $dn) then I get "Naming Violation", if I mash the keyboard and put in random letters for the user's name I still get "already exists" error even though no parts of the things I'm entering exist. If I add an ldap_mod_replace line in for another CN in the same OU it works fine so I know the connection is working. I've tried without the '[0]' on all except objectclass too (as I've seen in all examples). Company and user info edited obviously.
$server = "ldap://ServerName.domain.co.uk";
$dn = "OU=Advertising,OU=EmailDepartmentAccounts,OU=Administration,OU=Central,DC=domain,DC=co,DC=uk";
//domain user to connect to LDAP
$user = "helpdesk.ldap#domain.co.uk";
//user password
$psw = "Password";
$ds = ldap_connect($server);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$r = ldap_bind($ds, $user, $psw);
$proxyaddresses_array = array();
$proxyaddresses_array[0] = "X400:c=GB;a= ;p=Company Name p;o=PWEXCHANGE;s=Kitbag;g=Digital;";
$proxyaddresses_array[1] = "SMTP:test.maff#domain.co.uk";
$proxyaddresses_array[2] = "smtp:test.maff#other.co.uk";
//$NewUser = array();
$NewUser["cn"][0] = "Test Maff1";
$NewUser["userprincipalname"][0] = "Test.Maff1#domain.co.uk";
$NewUser["samaccountname"][0] = "Test.Maff";
$NewUser["objectClass"][0] = "top";
$NewUser["objectClass"][1] = "person";
$NewUser["objectClass"][2] = "organizationalPerson";
$NewUser["objectClass"][3] = "user";
//$NewUser["givenname"][0] = "Test";
//$NewUser["sn"][0] = "Maff";
//$NewUser["instancetype"][0] = 4;
//$NewUser["physicaldeliveryofficename"][0] = "Leeds";
//$NewUser["displayname"][0] = "Test Maff";
//$NewUser["proxyaddresses"] = $proxyaddresses_array;
//$NewUser["department"][0] = "IT";
//$NewUser["company"][0] = "Company Name";
//$NewUser["homemta"][0] = "CN=Microsoft MTA,CN=STH-EXC-01B,CN=Servers,CN=BSP,CN=Administrative Groups,CN=Johnston Press plc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=co,DC=uk";
//$NewUser["displaynameprintable"][0] = "Test Maff";
//$NewUser["mailnickname"][0] = "Test.Maff";
//$NewUser["useraccountcontrol"][0] = "512";
//$NewUser["primarygroupid"][0] = "513";
//$NewUser["name"] [0]= "Test Maff";
$NewUser["objectcategory"][0] = "CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=co,DC=uk";
//$NewUser["mail"] = "Test.Maff#domain.co.uk";
if ($NewUserAdded = ldap_add($ds, $dn, $NewUser)) {
echo "success<br />";
} else {
echo ldap_error($ds) . " " . ldap_errno($ds);
}
ldap_close($ds);
} else {
echo "unable to connect to LDAP server";
}
I might be wrong, but from what I read in your code you have an entry OU=Advertising,OU=EmailDepartmentAccounts,OU=Administration,OU=Central,DC=domain,DC=co,DC=uk. And as far as I interpret your code you want to add an entry below that entry. But you have to provide the DN of the new entry as second parameter to ldap_add. But you provide the baseDN of the new entry. and that is already there. Otherwise you wouldn't be able to add something into it.
So you should call something like the following before calling the ldap_add:
$dn = 'cn=' . $NewUser['cn'][0] . ',' . $dn;
That uses the baseDN and prepends it with the cn of the current user.
Hope that helps
I have tried adding users via php ldap Active-Directory for Microsoft Server 2008 R2 datacenter, but I can't. I always get this error :
An error occurred. Error number 64: Naming violation
The code is:
<?php
$ldaprdn = 'administrador#correo.mx';
$ldappass = 'dir378prob#';
$ds = 'correo.mx';
$dn = 'ou=usuarios,dc=correo,dc=mx';
$puertoldap = 389;
$ldapconn = ldap_connect($ds,$puertoldap)or die("ERROR: I Don'n connect to LDAP.");
if ($ldapconn)
{
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$con = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($con)
{
$info["cn"] = $_POST['cn'];
$info["sn"] = $_POST['sn'];
$info["mail"] = $_POST['mail'];
$info["objectclass"] = "inetorgperson";
// prepare DN for new entry
$dn_aux = "mail=" . $_POST['mail'] . ",ou=usuarios,dc=correo,dc=mx";
$result = ldap_add($ldapconn, $dn_aux, $info);
if($result)
{
echo "New entry with DN " . $dn . " added to LDAP directory.";
}
// else display error
else
{
echo "An error occurred. Error number " . ldap_errno($conn) . ": " .
ldap_err2str(ldap_errno($conn));
}
}
else
{
echo "LDAP bind error...";
}
}
ldap_close($ldapconn);
?>
I'm taking my first steps in this ldap, so please could you explain in detail.
Not sure of the correct PHP syntax but the following line :
$dn_aux = "mail=" . $_POST['mail'] . ",ou=usuarios,dc=correo,dc=mx";
is not correct concerning an Active-Directory. The explanation is that in such a Directory your are not able to choose the attribute you use for naming an object. For example an 'InetOrgPerson' object MUST use the CN attribute to name it. For more details read carefuly naming attributes in object naming from Microsoft documentation.
try :
dn_aux = "CN=" . $_POST['cn'] . ",ou=usuarios,dc=correo,dc=mx";
I am wanting to create a form that I can fill out and once I submit it the form values can be pulled out and that person can be created into LDAP. I am not very experienced with LDAP infact I just worked towards making an LDAP bind work so I am needing some help. How can I add new users into LDAP through this form I can fill out? I know LDAP has an Add commands but I am not particularly sure on how to get started and what information needs to be passed for the person to be created in LDAP. If it helps, below is my code for LDAP bind.
<?php
$name=$_REQUEST['name'];
$x=1;
if($x==1)
{
//LDAP stuff here.
$username = "myusername";
$password = "mypass";
$ds = ldap_connect('ldap://ldap:389');
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
//Can't connect to LDAP.
if( !ds )
{
echo "Error in contacting the LDAP server -- contact ";
echo "technical services! (Debug 1)";
exit;
}
//Connection made -- bind anonymously and get dn for username.
$bind = #ldap_bind($ds);
//Check to make sure we're bound.
if( !bind )
{
echo "Anonymous bind to LDAP FAILED. Contact Tech Services! (Debug 2)";
exit;
}
$search = ldap_search($ds, "ou=People,DC=sde,DC=goliat,DC=com", "uid=$username");
//Make sure only ONE result was returned -- if not, they might've thrown a * into the username. Bad user!
if( ldap_count_entries($ds,$search) != 1 )
{
echo "Error processing username -- please try to login again. (Debug 3)";
redirect(_WEBROOT_ . "/try1b.php");
exit;
}
$info = ldap_get_entries($ds, $search);
//Now, try to rebind with their full dn and password.
$bind = #ldap_bind($ds, $info[0][dn], $password);
if( !$bind || !isset($bind))
{
echo "Login failed -- please try again. (Debug 4)";
redirect(_WEBROOT_ . "/try1b.php");
exit;
}
//Now verify the previous search using their credentials.
$search = ldap_search($ds, "ou=People,DC=sde,DC=goliat,DC=com", "cn=$name");
$info = ldap_get_entries($ds, $search);
if( $username == "myusername" )
{
/*
very useful set of information to view the LDAP tree info from an array
echo $username;
echo "<pre>".print_r($info[0],true)."</pre><br />";
*/
echo $info[0][cn][0];
echo ",";
echo $info[0][mail][0];
echo ",";
echo $info[0][telephonenumber][0];
exit;
}
else
{
echo "Error. Access Denied";
redirect(_WEBROOT_ . "/try1b.php");
exit;
}
ldap_close($ds);
exit;
}
?>
I would recommend a newUser.php (or whatever) file that checks to make sure that all of your required information is present, then send that info to the file you have started above.
Your $bind should take three variables...
$bind = ldap_bind($ds, 'cn=root,dc=example,dc=com', secretPassword);
For a pretty good guide to adding people to your LDAP server via PHP go to http://www.php2python.com/wiki/function.ldap-add/
Good luck
An add request requires the distinguished name to be added and the attribute that are to be part of the entry, and optional request controls.
On another subject, your search has subtree scope and may return more than one entry that matches user name. There is no reason why there could not be multiple entries with the same RDN in different branches underneath the base object specified in the code - unless your directory server vendor has implemented an attribute uniqueness constraint.