我设法connect, query and add to AD。使用 exampleA (向下看)user object添加attributes时,我没有问题,但是当我添加时:
$this->newUserEntry["UserAccountControl"] = 512; //LDAP will disable the account by default, This will create it in an enabled state
我从ldap_add()收到以下警告,但未创建user object:
Server is unwilling to perform
例A:
$this->newUserEntry["objectclass"][0] = "top";
$this->newUserEntry["objectclass"][1] = "person";
$this->newUserEntry["objectclass"][2] = "organizationalPerson";
$this->newUserEntry["objectclass"][3] = "user";
//---------General Tab-----------------------------------------
$this->newUserEntry['givenname'] = $this->givenName; //first name
$this->newUserEntry['sn'] = $this->sn; // last name
$this->newUserEntry["displayname"] = $this->sn.', '.$this->givenName; // display name - Format: Meow, Test
$this->newUserEntry["physicalDeliveryOfficeName"] = $this->location; //office
$this->newUserEntry["mail"] = $this->userMail;
$this->newUserEntry["mailNickname"] = $this->userMail; // user mail
//Change this to mobile field
$this->newUserEntry["telephoneNumber"] = '9897157910'; // user phone
//----------Account Tab----------------------------------------
$this->newUserEntry["userPrincipalName"] = $this->samaccountname.'@comp.com'; //User logon name
$this->newUserEntry["sAMAccountname"] = $this->samaccountname; //pre windows 2007 logon name
//----------profile Tab-----------------------------------------
$this->newUserEntry["scriptPath"] = $this->scriptPath; //Log on script
//----------Organization Tab------------------------------------
$this->newUserEntry["title"] = $this->title;
$this->newUserEntry["department"] = $this->department; // department
$this->newUserEntry["company"] = "Open Doors Test"; // Company name
$this->newUserEntry["manager"] = $this->managerDn; // name of the manager
我尝试了什么:
1-Setting password attribute:
我教过这种情况正在发生,因为我没有设置密码attribute,所以我尝试添加password hashing而没有hashing:
密码示例:As33557b
$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password
如果我删除了帐户控制,那么两次尝试都失败了,就像之前一样,用户对象创建没有问题。
2-确保连接已超过SSL:
我改变了通过LDAP连接的方式:
之前:
ldap_connect('ldap://'. $this->dnToConnect)
后:
ldap_connect('ldap://'. $this->dnToConnect, 636)
我还运行nmap -p 636 mydomain.com以确保port is open和我可以建立联系。
3-尝试将512值设为string和integer。
注意:
我可以手动设置accounts, disable and enable,因此问题不应该与我user and password使用的bind一样。
UPDATE1:
我已将问题缩小到密码。我可以使用Enabled account创建no password并设置userAccountControl to 544,因此我认为问题在于我设置密码字段的方式。
Bloob即将流行,任何帮助都会受到欢迎。
评论部分请求的信息: 密码:
最初我设置的密码如下:
//$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password
比有人建议尝试设置它:
$newPassword = $this->password;
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$this->newUserEntry["unicodePwd"] = $newPass;
答案 0 :(得分:1)
希望这对某些人有帮助,我无法在active state创建帐户的原因是由于无法设置属性unicodePwd而这是因为无法通过LDAPS连接。
由于缺少所需的证书和一些配置,我无法通过LDAPS进行连接。
分辨率:
1-
一个。在C:目录中创建以下文件夹(与您phps top folder相同的级别)
openldap -> sysconf
湾在 sysconf 文件夹中:
B1。创建一个ldap.conf文件并添加以下行:
TLS_CACERT C:\openldap\sysconf\ssl\cacert.pem
TLS_REQCERT never
B2。在名为sysconf的{{1}}中创建一个文件夹:
ssl 2-转到托管 you will put a `certificate` in there (look at part 2 for details)
的主持人,让管理员执行以下链接中的说明,Active directory,同时记得使用put the cert in ssl folder转换证书:
openSSL3-您可以使用以下脚本进行测试:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
4-如何设置<?php
$ldaphost = "ldaps://hostNameOfDC.DCName.com";
$ldapUsername = "adminUser@DCName.com";
$ldapPassword = "adminPASS";
$ds = ldap_connect($ldaphost,636);
if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
print "Could not set LDAPv3\r\n";
}
else {
// now we need to bind to the ldap server
$bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");
}
if($bth){ echo"WEEEE you did it"; }
?>
(密码credit to):
unicodePwd