使用 LDAP/PHP/IIS/SSL 在 Active Directory 中更改密码

2022-01-17 00:00:00 ssl passwords ldap php iis

首先,这可能不是一个编程问题,而更像是一个如何配置 LDAPS 问题,但这里是……

First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes...

背景信息:

我有两台 Windows 2008 R2 服务器.一个是带有 Active Directory (AD) 的域控制器 (DC),我想通过 LDAP 与之通信.这个名为 TestBox.TestDomain.local.另一台服务器正在运行 IIS、PHP(带有 ldap 和 openssl)和 mySQL.

I have two Windows 2008 R2 servers. One is a domain controller (DC) with Active Directory (AD) that I want to communicate with via LDAP. This one is named TestBox.TestDomain.local. The other server is running IIS, PHP (with ldap and openssl), and mySQL.

什么是/不工作:

我可以通过端口 389 成功连接到不安全的 DC 并将数据读/写到 AD.我不能做的是更改或设置用户密码,因为这需要通过端口 636 使用 LDAPS(带 SSL 的 LDAP)进行安全连接.

I can successfully connect to the DC unsecured over port 389 and read/write data to AD. What I can't do is change or set user passwords since this requires a secure connection using LDAPS (LDAP w/ SSL) over port 636.

我需要什么帮助:

我已尝试使用以下信息安装 Active Directory 证书服务 (AD CS) 并将 DC 配置为证书颁发机构 (CA):http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx 但没关系我尝试了什么我无法通过 LDAPS 建立连接.

I have tried installing Active Directory Certificate Services (AD CS) and configuring the DC to act as a Certificate Authority (CA) using information found here: http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx but no matter what I try I can't get a connection over LDAPS to work.

示例代码:

创建 LDAP 连接

function ldapConnect(){
    $ip = "100.200.300.400";  // WAN IP goes here;
    $ldap_url = "ldap://$ip";
    $ldaps_url = "ldaps://$ip";
    $ldap_domain = 'testdomain.local';
    $ldap_dn = "dc=testdomain,dc=local";

    // Unsecure - WORKS
    $ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");  

    // Secure - DOESN'T WORK
    //$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
    //alternate connection method 
    //$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");  

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $username = "AdminUser";
    $password = "AdminPass"; 

    // bind using admin username and password
    // could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
    $result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");

    if($result){
        return $ldap_conn;
    }else{
        die("<br>Error: Couldn't bind to server using supplied credentials!");
    }
}

向 Active Directory 添加新用户

Adding a New User to Active Directory

function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
    $dn = "CN=$firstName $lastName,".$ou_dn;

    ## Create Unicode password
    $newPassword = """ . $pwdtxt . """;
    $len = strlen($newPassword);
    $newPassw = "";
    for($i=0;$i<$len;$i++) {
        $newPassw .= "{$newPassword{$i}}00";
    }

    $ldaprecord['cn'] = $firstName." ".$lastName;
    $ldaprecord['displayName'] = $firstName." ".$lastName;
    $ldaprecord['name'] = $firstName." ".$lastName;
    $ldaprecord['givenName'] = $firstName;
    $ldaprecord['sn'] = $lastName;
    $ldaprecord['mail'] = $email;
    $ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
    $ldaprecord["sAMAccountName"] = $username;
    //$ldaprecord["unicodepwd"] = $newPassw;
    $ldaprecord["UserAccountControl"] = "544"; 

    $r = ldap_add($ldap_conn, $dn, $ldaprecord);

    // set password .. not sure if I need to base64 encode or not
    $encodedPass = array('userpassword' => base64_encode($newPassw));
    //$encodedPass = array('unicodepwd' => $newPassw);

    echo "Change password ";
    if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){ 
        echo "succeded";
    }else{
        echo "failed";
    }
}

推荐答案

只有两条建议:

  1. 在 AD CS 设置过程中,在 Specify Setup Type 页面中,单击 Enterprise,然后单击 Next.
  2. AD 服务应该使用自己的证书,但如果它像在 Windows server 2003 中一样工作,则必须重新启动服务器才能使其工作.也许只是停止并重新启动 W2K8 R2 中的服务.
  1. During the AD CS setup, in the Specify Setup Type page, click Enterprise, and then click Next.
  2. AD service is supposed to take himself his own certificate, but if it works like in Windows server 2003, you must reboot the server to make it work. Perhaps just stop and restart the service in W2K8 R2.

之后,您可以尝试构建证书并将其安装在 AD 服务帐户上,就像使用 ADAM 一样.

Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM.

相关文章