You're getting called just to reset their F###!## password on a system that authenticates on Active Directory
Solution:
Self service password reset/management webpage
Setup:
PHP + Apache connecting to AD via SSL. I used XAMPP, Windows 2008 R2 + AD and CA to accomplish this.
Code:
[02/23/2016] - To follow... working but still in progress. References will be added continuously.
For now, I will summarize the steps needed with the assumption of codes already available.
- Windows 2008 with AD and CA.
- Web server with PHP. Apache, IIS, others as long as it works with PHP with modules enabled as mentioned above.
- Issued certificate from CA and converted for OpenSSL.
I did not count days to accomplish this task but the opened browser tabs containing articles and put it all together. :)
[02/25/2015] - The codes
index.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Password Reset</title>
</head>
<body>
<img src="logo.jpg" width="166" height="109" alt=""/><br />
PASSWORD RESET FORM<br /><br />
<div class="form1" id="form1">
<form action="reset.php" method="post">
User:<br />
<input type="text" name="user"> <br />
New password:<br />
<input type="text" name="password"> <br /><br />
<input type="submit" name="submit" id="submit" value="Submit" />
<input type="reset" />
</form>
</div>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Password Reset!</title>
</head>
<body>
<?php
$ldaphost = "ldaps://poc.domain.net";
$ldapport = 389;
$ldaprdn = 'domain\administrator';
$ldappass = 'Admin123';
$ldapconn = ldap_connect($ldaphost, $ldapport) or die("Could not connect to $ldaphost");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
$pwdtxt = $_POST['password'];
$newPassword = '"' . $pwdtxt . '"';
$newPass = iconv( 'UTF-8', 'UTF-16LE', $newPassword );
//$ldaprecord["unicodepwd"] = $newPassw;
$userdata["unicodepwd"] = $newPass;
// change password
$userDn = "CN=" . $_POST['user'] . ",CN=Users,DC=domain,DC=net";
$result = ldap_mod_replace($ldapconn, $userDn, $userdata);
if ($result) {
echo "Password modified!";
} else {
echo "There was a problem!";
}
}
echo "<br /><br />";
echo $userDn;
?>
</body>
</html>
References:
http://greg.cathell.net/php_ldap_ssl.html
http://forums.devshed.com/ldap-programming-76/
https://www.novell.com/coolsolutions/tip/5838.html
http://php.net/manual/en/function.ldap-start-tls.php
https://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/
http://technology.mattrude.com/2010/11/ldap-php-change-password-webpage/
https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html
No comments:
Post a Comment