首先,这可能不是一个编程问题,而更像是一个如何配置 LDAPS 问题,但这里是……
First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes...
背景信息:
我有两台 Windows 2008 R2 服务器.一个是带有 Active Directory (AD) 的域控制器 (DC),我想通过 LDAP 与之通信.这个名为 TestBox.TestDomain.local.另一台服务器正在运行 IIS、PHP(带有 ldap 和 openssl)和 mySQL.
I have two Windows 2008 R2 servers. One is a domain controller (DC) with Active Directory (AD) that I want to communicate with via LDAP. This one is named TestBox.TestDomain.local. The other server is running IIS, PHP (with ldap and openssl), and mySQL.
什么是/不工作:
我可以通过端口 389 成功连接到不安全的 DC 并将数据读/写到 AD.我不能做的是更改或设置用户密码,因为这需要通过端口 636 使用 LDAPS(带 SSL 的 LDAP)进行安全连接.
I can successfully connect to the DC unsecured over port 389 and read/write data to AD. What I can't do is change or set user passwords since this requires a secure connection using LDAPS (LDAP w/ SSL) over port 636.
我需要什么帮助:
我已尝试使用以下信息安装 Active Directory 证书服务 (AD CS) 并将 DC 配置为证书颁发机构 (CA):http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx 但没关系我尝试了什么我无法通过 LDAPS 建立连接.
I have tried installing Active Directory Certificate Services (AD CS) and configuring the DC to act as a Certificate Authority (CA) using information found here: http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx but no matter what I try I can't get a connection over LDAPS to work.
示例代码:
创建 LDAP 连接
function ldapConnect(){
$ip = "100.200.300.400"; // WAN IP goes here;
$ldap_url = "ldap://$ip";
$ldaps_url = "ldaps://$ip";
$ldap_domain = 'testdomain.local';
$ldap_dn = "dc=testdomain,dc=local";
// Unsecure - WORKS
$ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");
// Secure - DOESN'T WORK
//$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$username = "AdminUser";
$password = "AdminPass";
// bind using admin username and password
// could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
$result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");
if($result){
return $ldap_conn;
}else{
die("<br>Error: Couldn't bind to server using supplied credentials!");
}
}
向 Active Directory 添加新用户
Adding a New User to Active Directory
function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
$dn = "CN=$firstName $lastName,".$ou_dn;
## Create Unicode password
$newPassword = """ . $pwdtxt . """;
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++) {
$newPassw .= "{$newPassword{$i}}�00";
}
$ldaprecord['cn'] = $firstName." ".$lastName;
$ldaprecord['displayName'] = $firstName." ".$lastName;
$ldaprecord['name'] = $firstName." ".$lastName;
$ldaprecord['givenName'] = $firstName;
$ldaprecord['sn'] = $lastName;
$ldaprecord['mail'] = $email;
$ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
$ldaprecord["sAMAccountName"] = $username;
//$ldaprecord["unicodepwd"] = $newPassw;
$ldaprecord["UserAccountControl"] = "544";
$r = ldap_add($ldap_conn, $dn, $ldaprecord);
// set password .. not sure if I need to base64 encode or not
$encodedPass = array('userpassword' => base64_encode($newPassw));
//$encodedPass = array('unicodepwd' => $newPassw);
echo "Change password ";
if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){
echo "succeded";
}else{
echo "failed";
}
}
只有两条建议:
之后,您可以尝试构建证书并将其安装在 AD 服务帐户上,就像使用 ADAM 一样.
Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM.
这篇关于使用 LDAP/PHP/IIS/SSL 在 Active Directory 中更改密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!