当前位置:theitroad>使用 LDAP/PHP/IIS/SSL 更改 Active Directory 中的密码

使用 LDAP/PHP/IIS/SSL 更改 Active Directory 中的密码

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/5719082/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-25 22:18:42  来源:igfitidea点击:

Change Password in Active Directory using LDAP/PHP/IIS/SSL

phpiissslpasswordsldap

提问by compcentral

First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes...

首先,这可能不是一个编程问题,而是一个如何配置 LDAPS 的问题,但这里是......

Background Info:

背景资料:

I have two Windows 2008 R2 servers. One is a domain controller (DC) with Active Directory (AD) that I want to communicate with via LDAP. This one is named TestBox.TestDomain.local. The other server is running IIS, PHP (with ldap and openssl), and mySQL.

我有两台 Windows 2008 R2 服务器。一个是带有 Active Directory (AD) 的域控制器 (DC),我想通过 LDAP 与之通信。这个名为 TestBox.TestDomain.local。另一台服务器正在运行 IIS、PHP(使用 ldap 和 openssl)和 mySQL。

What is/isn't working:

什么是/不工作:

I can successfully connect to the DC unsecured over port 389 and read/write data to AD. What I can't do is change or set user passwords since this requires a secure connection using LDAPS (LDAP w/ SSL) over port 636.

我可以通过端口 389 成功连接到不安全的 DC 并将数据读/写到 AD。我不能做的是更改或设置用户密码,因为这需要使用 LDAPS(带 SSL 的 LDAP)通过端口 636 进行安全连接。

What I need help with:

我需要什么帮助:

I have tried installing Active Directory Certificate Services (AD CS) and configuring the DC to act as a Certificate Authority (CA) using information found here: http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspxbut no matter what I try I can't get a connection over LDAPS to work.

我曾尝试使用以下信息安装 Active Directory 证书服务 (AD CS) 并将 DC 配置为充当证书颁发机构 (CA):http: //technet.microsoft.com/en-us/library/cc770357(WS. 10).aspx但无论我尝试什么,我都无法通过 LDAPS 建立连接。

Sample Code:

示例代码:

Creating the LDAP Connection

创建 LDAP 连接

function ldapConnect(){
    $ip = "100.200.300.400";  // WAN IP goes here;
    $ldap_url = "ldap://$ip";
    $ldaps_url = "ldaps://$ip";
    $ldap_domain = 'testdomain.local';
    $ldap_dn = "dc=testdomain,dc=local";

    // Unsecure - WORKS
    $ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");  

    // Secure - DOESN'T WORK
    //$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");  

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $username = "AdminUser";
    $password = "AdminPass"; 

    // bind using admin username and password
    // could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
    $result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");

    if($result){
        return $ldap_conn;
    }else{
        die("<br>Error: Couldn't bind to server using supplied credentials!");
    }
}

Adding a New User to Active Directory

将新用户添加到 Active Directory

function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
    $dn = "CN=$firstName $lastName,".$ou_dn;

    ## Create Unicode password
    $newPassword = "\"" . $pwdtxt . "\"";
    $len = strlen($newPassword);
    $newPassw = "";
    for($i=0;$i<$len;$i++) {
        $newPassw .= "{$newPassword{$i}}
 [Version] 

 Signature="$Windows NT$ 

 [NewRequest]
 Subject = "CN=my-server.blahblah.com" ; must be the FQDN of host


 Exportable = TRUE  ; TRUE = Private key is exportable
 KeyLength = 4096    ; Common key sizes: 512, 1024, 2048, 
          ;    4096, 8192, 16384
 KeySpec = 1             ; Key Exchange
 KeyUsage = 0xF8     ;  Digital Signature, Non Repudiation, Key Encipherment, Data     Encipherment, Key Agreement
 MachineKeySet = True
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 ProviderType = 12
 RequestType = CMC

 ; Omit entire section if CA is an enterprise CA
 [EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.8.2.2
 OID=1.3.6.1.5.5.7.3.1
 OID=1.3.6.1.5.5.7.3.2
 OID=1.3.6.1.5.5.7.3.3
 OID=1.3.6.1.5.5.7.3.4 
 OID=1.3.6.1.5.5.7.3.5 
 OID=1.3.6.1.5.5.7.3.6 
 OID=1.3.6.1.5.5.7.3.7
 OID=1.3.6.1.5.5.7.3.8
 OID=1.3.6.1.5.5.7.3.9
 OID=1.3.6.1.4.1.311.10.3.4 
 OID=1.3.6.1.4.1.311.54.1.2

 [RequestAttributes]
 CertificateTemplate = MySpecialTemplate  ;Omit  line if CA is a stand-alone CA
 SAN="my-server.blahblah.com"

0";
    }

    $ldaprecord['cn'] = $firstName." ".$lastName;
    $ldaprecord['displayName'] = $firstName." ".$lastName;
    $ldaprecord['name'] = $firstName." ".$lastName;
    $ldaprecord['givenName'] = $firstName;
    $ldaprecord['sn'] = $lastName;
    $ldaprecord['mail'] = $email;
    $ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
    $ldaprecord["sAMAccountName"] = $username;
    //$ldaprecord["unicodepwd"] = $newPassw;
    $ldaprecord["UserAccountControl"] = "544"; 

    $r = ldap_add($ldap_conn, $dn, $ldaprecord);

    // set password .. not sure if I need to base64 encode or not
    $encodedPass = array('userpassword' => base64_encode($newPassw));
    //$encodedPass = array('unicodepwd' => $newPassw);

    echo "Change password ";
    if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){ 
        echo "succeded";
    }else{
        echo "failed";
    }
}

采纳答案by JPBlanc

Just two pieces of advice:

只提两点忠告:

  1. During the AD CS setup, in the Specify Setup Typepage, click Enterprise, and then click Next.
  2. AD service is supposed to take himself his own certificate, but if it works like in Windows server 2003, you must reboot the server to make it work. Perhaps just stop and restart the service in W2K8 R2.
  1. 在 AD CS 安装过程中,在“指定安装类型”页面中,单击“企业”,然后单击“下一步”。
  2. AD 服务应该自己获取自己的证书,但是如果它像在 Windows Server 2003 中一样工作,则必须重新启动服务器才能使其工作。也许只是停止并重新启动 W2K8 R2 中的服务。

Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM.

之后,您可以尝试构建证书并将其安装在 AD 服务帐户上,就像您可以使用 ADAM 完成一样。

回答by JEFFREY

Did you create a certificate request for the secure Ldap with the correct OIDs?

您是否使用正确的 OID 为安全 LDAP 创建了证书请求?

here's my inf file:

这是我的 inf 文件:

##代码##

YOU SHOULD MAKE A TEMPLATE ON THE CA USING THE 2003 (NOT ALL MICROSOFT PRODUCTS CAN UTILIZE 2008 TEMPLATES -- I KNOW STUPID HUH) COPY IT FROM DOMAIN CONTROLLER AND THROW THE KITCHEN SINK AT THE OIDS

您应该使用 2003 在 CA 上制作模板(并非所有 MICROSOFT 产品都可以使用 2008 模板 - 我知道愚蠢的哈)从域控制器复制它并将厨房水槽扔到 OIDS

回答by Raja Roy

Just make your connection as trust all. Then it will no longer need certificates. Check out javax.net.sslTrustManager.

只需将您的联系视为信任所有人。然后它将不再需要证书。退房javax.net.sslTrustManager

相关推荐

php Laravel 5 在控制器方法中获取路由前缀

php Laravel 5 在控制器方法中获取路由前缀

php 会话未设置,或 session_destroy?

php 会话未设置,或 session_destroy?

php Laravel 中的“格式错误的 UTF-8 字符,可能编码不正确”

php Laravel 中的“格式错误的 UTF-8 字符,可能编码不正确”

php 在mysql中拒绝插入命令

php 在mysql中拒绝插入命令

相关推荐
最近更新
标签