Reputation: 380
set password for new LDAP user
I've been trying to create windows user accounts out of PHP which itself is no problem. The only thing I can't do is to set the windows user password to the company standard password. I can create, change and delete the user account without any problems except for the password. Every time I create a user and try to log myself in with the credentials all I get is a "username or password wrong". And I checked the username.
What I tried so far:
ldapp_addwith clear password ($ldaprecord['userPassword'] = "standard";)$ldaprecord['userPassword'] = '{MD5}' . base64_encode(pack('H*',md5($newuser_plaintext_password)));like in the given example at php.net- tried to change password after adding the user see this
It seems that I can change $ldaprecord['userPassword'] but when I try to change ldaprecord['unicodePwd'] the server is unwilling to do my request.
Which is the right one for the password?
I am not connecting to the AD via SSL. Is this my mistake? If so why can I delete user but not set their password?
Thanks in advance.
EDIT:
Asked the sysadmin to establish a connection via SSL but he said the Lightweight Directory Services weren't even installed on the DC. In his opinion I'm working directly on the AD. Any thoughts on that?
Working on Windows 2012 R2 with IIS.
Upvotes: 5
Views: 6672
Answers (2)
Reputation: 380
First I did as @ChadSikorra told me to: I created the folder(s)/file C:\OpenLDAP\sysconf\ldap.conf and add the line TLS_REQCERT never. However this didn't help with ldap_start_tls() but our sysadmin checked the DC and found that the domain controller certificate wasn't installed. So I could finally establish a connection via ldap_connect("ldaps://mydomaincontroller"); which means I could set the unicodePwd-attribute.
Next Problem was the encoding for the unicodePwd. This is the way to go:
$newPassword = "mypassword";
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
the strange thing is that it seems that you can not set the password when adding the user to the AD (correct me if there is a way). Instead you have to set the password afterwards:
$result = ldap_add(...);
$entry = array(
"unicodePwd" => "$newPass",
"pwdLastSet" => 0
);
ldap_modify($connect, $member, $entry);
Setting the password with ldap_add() didn't work for me. pwdLastSet is forcing the user to change the password after login and $member is the "ID" of the user (e.g.: CN=johndoe, ou=person, dc=mycompany). Make sure to
use a unique key after the "CN=".
Thank you guys for your help.
Upvotes: 6
Reputation: 3861
According to this Microsoft article it looks as though the password is stored in a field unicodePwd which can only be set but not read. And apart from that the NTLM-Hash and the NT-Hash can be stored in the SAM-Database (which is AFAIK not accessible through LDAP) so you won't have much luck in changing the password via LDAP.
There is an article though on how to change a Windows200-Password via LDAP referenced on the website stated above.
Upvotes: 1
Related Questions
- How can I sanitize user input with PHP?
- What are CN, OU, DC in an LDAP search?
- How do I remove the passphrase for the SSH key without having to create a new key?
- Secure hash and salt for PHP passwords
- Why is char[] preferred over String for passwords?
- How to reset Django admin password?
- LDAP CHANGE PASSWORD PHP
- Set password when creating a new Active Directory user account in PHP
- How to do password authentication for a user using LDAP?