Okay I am stumped.
I am trying to write some PHP code to create a user in active directory with a password.
The PHP will run an Ubuntu server if it makes any difference talking to a Server 2008r2 Windows Domain Controller.
I can create the user no problems using PHP but I can not set the password. I have tried what feels like every possible code on the internet but it just will not work.
I believe that I have to create the user and then modify the password after. As a result I have the following code.
$domadlogin = 'domainadminusername';
$domadpw = 'a2b3c4d5e';
$domctrl = 'ldaps://DCIPADDRESS';
$ldapServer = $domctrl;
$ldapBase = 'OU=Users,DC=example,DC=co,DC=uk';
$ds = ldap_connect($ldapServer);
if (!$ds) {die('Cannot Connect to LDAP server');}
$ldapBind = ldap_bind($ds,$domadlogin,$domadpw);
if (!$ldapBind) {die('Cannot Bind to LDAP server');}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$dn_user='CN=Test User,OU=New Users,OU=Users,DC=example,DC=co,DC=uk';;
$newPassword = "1.Password!";
$newPassword = "\"" . $newPassword . "\"";
$len = strlen($newPassword);
for ($i = 0; $i < $len; $i++)
{
$newPassw .= "{$newPassword{$i}}\000";
}
$newPassword = base64_encode($newPassw);
$userdata['unicodePwd'] = $newPassword;
$result = ldap_modify($ds, $dn_user, $userdata);
if ($result) echo "User modified!" ;
else echo "There was a problem!";
ldap_unbind($ds);
I know that LDAPS is working as this works
ldapsearch -x -d 2 -LLL -H ldaps://DCIPADDRESS -b 'OU=Users,DC=example,DC=co,DC=uk' -D 'domainadminusername' -W '(sAMAccountName=username)'
Can anyone tell me what I am doing wrong.
Thanks
I'am not a PHP writer here some guidelines from one of a closed question I answered :
Using PHP, you can change or create a user with the good password an AD user password using LDAP with a simple bind on an SSL connexion.
For this you need to install a certificate on you AD server. The simple way (not the more attractive) is to install Microsoft Certificate Server on your domain (Enterprise installation see Configuring Microsoft Active Directory for SSL Access) and then to reboot your domain controler. You can also generate a certificate with OpenSSL and install it on the computer (see How to enable LDAP over SSL with a third-party certification authority).
Here is a sample of an LDIF File that allow to create a user with his password on an SSL connexion, you will find the way I generate the base 64 string for the password :
# Imported with :
# ldifde -i -t 636 -f .\Annuaire3.ldf
# Password generated by ("" must be encoded inside):
# stringconverter.exe \"test.2011\" /unicode /encode
# Connexion then tested with :
# runas /user:jdupont cmd.exe (password is test.2011)
dn: cn=Jean Dupont,OU=MonOU,DC=societe0,DC=fr
changetype: add
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jean Dupont
givenName: Jean
sn: Dupont
mail: jean.Dupont#societe.fr
telephoneNumber: 9999
userAccountControl: 544
sAMaccountName: jdupont
userPrincipalName: jdupont#societe.fr
unicodePwd:: IgB0AGUAcwB0AC4AMgAwADEAMQAiAA==
Related
I am trying to connect the active directory or LDAP of window with an application (GLPI) made in PHP.
Connection parameters:
Connecting with the server:
$ds = ldap_connect($host, $port) // return true
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
Relate connection to server and user and password
ldap_bind ($ds, $ login, $ password)
returns me:
"Can not contact LDAP server"
I want to know what can happen with that error message, since in the first method it returns true to me, which means that if it connects to the server.
RootDN This is fine and has all the permissions the user I am using.
The default server is fine and I did ping andtelnet.
Note: I already downloaded LDAPExplorer and established connection without problem.
Does the missing : $ds = ldap_connect ... like how it is in your code?
It should be something like :
$ds = ldap_connect($host, $port);
#ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
#ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
#ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
ldap_bind ($ds, $login, $password)
ldap_connect does not connect to the server as is clearly stated in the docs. It merely creates a resource and checks whether the given values are plausible. The actual connection is established with the first command that requires a connection to the server. In this case the ldap_bind.
BTW: The "first method" does not return true but a resource-handle. Only when you pass something absolutely not parseable it will return false. But never true
I'd recommend using an LDAP-URI instead of the $host, $port variation as the PHP-library has to do that otherwise internaly. And it's the only way to f.e. establish an LDAPS-connection.
Ok, the solution to my problem is to upgrade from GLPI version 9.3.0 to 9.3.3.
Suggestions:
For users, what could happen to this, verify the messages that GLPI has informs about pending installation packages. So I opted for the update and the connection worked without problem.
For users who can not update version, verify that apache packages are pending to install or update, also in the installation process in the setup, be very careful installing the entire list that seems pending.
To fix some errors by installing version 9.3.3:
chown -R apache: apache glpi / files
chmod -R 755 glpi / files
chown -R apache: apache config
chmod -R 755 glpi / config
also:
setsebool -P httpd_can_network_connect_db 1
Thank you.
I have a laravel 5 app. With the code below, I am able to successfully authenticate with active directory when on localhost and having the company network cabled plugged to my computer.
public static function connect_ldap($username, $password)
{
$ldapServer = DirectorySetting::where('config_key', 'LdapServerAddress')->value('config_value');
$conn = ldap_connect($ldapServer, 389);
if(!$conn) return false;
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
$bindServerLDAP = #ldap_bind($conn, $username, $password);
if(!$bindServerLDAP) return false;
return $conn;
}
How ever, our test and production server is on Microsoft Azure. When I try to authenticate. I get the error below:
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/test_ldap.php on line 70
Error Binding to LDAP: No additional information is available
Observation
ldap_connect is successful
I can successfully ping the ldap server address
ldap_bind is unsuccessful. Enabling verbose here doesn't help either. It just tells me that No additional information is available
The system teams says they have created a link between the on premise and azure active dir
My server is CentOS 7, I have enabled the variables httpd_can_network_connect and httpd_can_connect_ldap like below:
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_connect_ldap on
I have equally added in /etc/openldap/ldap.conf, the variable below:
TLS_REQCERT never
Even with this, it doesn't work.
What could be wrong?
I've compiled OpenSSL 1.0.2h into /usr/local/openssl on a MySQL 5.7.13 Server, using the following code:
tar xvzf openssl-1.0.2h.tar.gz -C /usr/local
cd /usr/local/openssl-1.0.2h
./config --prefix=/usr/local/openssl shared
make depend
make
make install
After, I configured MySQL with:
cmake . -DMYSQL_DATADIR=/usr/local/mysql/dat -DWITH-SSL=/usr/local/openssl
When MySQL starts for the first time, it creates eight key/cert (.pem) files within that /dat directory:
ca.pem
ca-key.pem
client-cert.pem
client-key.pem
private_key.pem
public_key.pem
server-cert.pem
server-key.pem
From within MySQL Workbench, I can see that SSL is on in the Available Server Features:
SSL Availability On (Green Dot)
And that the SHA256/SSL files are identified in the Authentication section:
SHA256 password private key: private_key.pem
SHA256 password public key: public_key.pem
SSL CA: ca.pem
SSL CA path: n/a
SSL Cert: server-cert.pem
SSL CRL: n/a
SSL CRL path: n/a
SSL Key: server-key.pem
From the Users and Privileges section in Workbench I have created two test users:
'user_standard'#'%' picking Standard for Authentication Type
'user_sha256'#'%' picking SHA256 Password for Authentication Type
In my my.cnf file I specify the following:
[client]
ssl-ca = /usr/local/mysql/dat/ca.pem
ssl-cert = /usr/local/mysql/dat/client-cert.pem
ssl-key = /usr/local/mysql/dat/client-key.pem
[mysqld]
ssl-ca = /usr/local/mysql/dat/ca.pem
ssl-cert = /usr/local/mysql/dat/server-cert.pem
ssl-key = /usr/local/mysql/dat/server-key.pem
ssl-cipher = DHE-RSA-AES256-SHA
The "status" of the MySQL Server is as follows:
mysql> status
--------------
./bin/mysql Ver 14.14 Distrib 5.7.13, for Linux (x86_64) using EditLine wrapper
Connection id: 4
Current database: mysql
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current page: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.13-debug-log Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /tmp/mysqld.sock
I have a separate client server running Apache 2.4.10 (configured with --with-ssl=/usr/local/openssl), PHP 7.0.7 (configured with --with-openssl=/usr/local/openssl), and the same OpenSSL 1.0.2h (configured with --prefix=/usr/local/openssl shared). My phpinfo.php file shows OpenSSL support is enabled and that its Library/Header Version is indeed 1.0.2h.
I then copied the ca.pem, server-cert.pem, and server-key.pem files from the MySQL Server to the Apache/PHP Server and made a directory to put them in: /usr/local/openssl/ssl/mysql/.
Here is my PHP code that is a "Success!" using the credentials for [user_standard] but I get,
Warning: mysqli_real_connect(): (HY000/1045): Access denied for user 'user_sha256' (using password: YES)
simply switching the $user and $pass variables to log in as [user_sha256]. Everything else remains the same.
$conn = mysqli_init();
$conn->options (MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$conn->ssl_set ('/usr/local/openssl/ssl/mysql/server-key.pem', '/usr/local/openssl/ssl/mysql/server-cert.pem', '/usr/local/openssl/ssl/mysql/ca.pem', NULL, 'DHE-RSA-AES256-SHA');
$serv = 'MySQL_Server_5.7.13_Auto_Generated_Server_Certificate';
$user = 'user_standard'; // Switching to 'user_sha256' = Permission denied
$pass = 'user_standard'; // Switching to 'user_sha256' = Permission denied
$data = 'test';
$conn->real_connect ($serv, $user, $pass, $data, 3306, NULL, MYSQLI_CLIENT_SSL);
if (!$conn) {
die ('Connect error (' . mysqli_connect_errno(). '): ' . mysqli_connect_error() . "\n");
} else {
echo "Success!";
}
$conn->close();
I don't understand the difference and/or what possibly needs to be configured differently to allow PHP to connect to the SHA256 account.
And by the way, both the MySQL Server and the Apache/PHP Server are: CentOS Linux release 7.2.1511 (Core).
I have a question for you.
My goal is to bind a ldap server with php.
When I try with a terminal ( bash ) I use:
ldapsearch -H ldaps://[server]:[port] -D [dn] -W
It works well.
When I try with a php script
$server = array("ldaps://[server]", "[port]");
$userdn = "[dn]";
$userpw = "[pw]";
$ds = ldap_connect($server[0], $server[1]) or die("ldap server offline");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_bind($ds, $userdn, $userpw);
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server
I don't understand my mistake. I've search all night long on google.
Q/A
_ I use mamp ( apache )
_ Ldap server pings good, and works with bash.
_ I use a firewall, but it doesnt work without too.
_ all [var] are ok, because in bash it works.
adding TLS_REQCERT allow to ldap.conf and it works! thanks to #rooster
I'm not very experienced with using LDAP and have been looking at a few stack overflow questions and tried to piece some code together.
I'm using the PEAR LDAP2 package with my php. So far I have set up my filters, but im not searching for anything yet.
All I am trying to do is set up my connection to the server but when my code reaches:
$ldap= Net_LDAP2::connect($config);
The script freezes and produces a white screen. How can i fix this?
Script below:
<?php
include '../config/connection.php';
require_once '../Scripts/Net_LDAP2-2.0.12/Net/LDAP2/LDAP2.php';
//retrieve information from the form
$username = $_POST['username'];
$password = $_POST['password'];
$usernamefilter = Net_LDAP2_Filter::create('username', 'equals', $username);
$passwordfilter = Net_LDAP2_Filter::create('password', 'equals', $password);
$combinedFilter = Net_LDAP2_Filter::combine('and', array($usernamefilter, $passwordfilter));
echo "filters have been created. <br />";
// The configuration array:
$config = array (
'binddn' => 'username',
'bindpw' => 'password',
'basedn' => 'ou=People,dc=campus,dc=aston,dc=ac,dc=uk',
'host' => 'gc.campus.aston.ac.uk',
'filter' => $combinedFilter
);
echo "config array has been set up. <br />";
// Connecting using the configuration:
$ldap = Net_LDAP2::connect($config);
echo "connection to ldap has been sent. <br />";
// Testing for connection error
if (PEAR::isError($ldap)) {
die('Could not connect to LDAP-server: '.$ldap->getMessage());
}
Consider verifying that the LDAP directory server is correctly responding to LDAP client requests by using a known good client. ldapsearch as distributed by the vendor is the best choice for this task. Execute the following search to verify that the server is accepting connecting client connections and responding:
ldapsearch -h gc.campus.aston.ac.uk -p <your-port> \
-D the-distinguished-name -w password \
-b 'ou=People,dc=campus,dc=aston,dc=ac,dc=uk' \
-s base '(&)' 1.1
If this hangs, fails, or returns no entries, correct the problem and re-test until the above command succeeds.
Note: if you are using the old legacy OpenLDAP ldapsearch, add the -x command line option