doushen4719 2018-02-14 02:19
浏览 208
已采纳

服务器不愿意执行 - 无法在活动状态下创建用户对象

I have managed to connect, query and add to AD. When adding a user object with exampleA(look down) attributes set I have no problem, however when I add:

$this->newUserEntry["UserAccountControl"] = 512; //LDAP will disable the account by default, This will create it in an enabled state

I get the following warning from ldap_add() and user object is not created:

Server is unwilling to perform

ExampleA:

        $this->newUserEntry["objectclass"][0] = "top";
        $this->newUserEntry["objectclass"][1] = "person";
        $this->newUserEntry["objectclass"][2] = "organizationalPerson";
        $this->newUserEntry["objectclass"][3] = "user";

        //---------General Tab-----------------------------------------
        $this->newUserEntry['givenname'] = $this->givenName; //first name
        $this->newUserEntry['sn'] = $this->sn; // last name
        $this->newUserEntry["displayname"] = $this->sn.', '.$this->givenName; // display name - Format: Meow, Test
        $this->newUserEntry["physicalDeliveryOfficeName"] = $this->location; //office
        $this->newUserEntry["mail"] = $this->userMail;
        $this->newUserEntry["mailNickname"] = $this->userMail; // user mail

        //Change this to mobile field
        $this->newUserEntry["telephoneNumber"] = '9897157910'; // user phone

        //----------Account Tab----------------------------------------
        $this->newUserEntry["userPrincipalName"] = $this->samaccountname.'@comp.com'; //User logon name
        $this->newUserEntry["sAMAccountname"] = $this->samaccountname; //pre windows 2007 logon name


        //----------profile Tab-----------------------------------------
        $this->newUserEntry["scriptPath"] = $this->scriptPath; //Log on script

        //----------Organization Tab------------------------------------
        $this->newUserEntry["title"] = $this->title;
        $this->newUserEntry["department"] = $this->department; // department
        $this->newUserEntry["company"] = "Open Doors Test"; // Company name
        $this->newUserEntry["manager"] = $this->managerDn; // name of the manager

What I have tried:

1-Setting password attribute:

I taught that this is happening because I do not have password attribute set, so I tried adding a password with hashing and without hashing:

password example: As33557b

$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password

Again both attempts it failed and like before if I would remove account control user object was created with no issues.

2- Make sure the connection is over SSL:

I changed the way I was connecting via LDAP:

Before:

ldap_connect('ldap://'. $this->dnToConnect)

After:

ldap_connect('ldap://'. $this->dnToConnect, 636)

I also ran nmap -p 636 mydomain.com to make sure the port is open and I can make a connection.

3- Try setting 512 value as a string and as an integer.

Notes: I can make accounts, disable and enable them manually, so the problem should not be with the user and password that I am using to bind.

Update1:

I have narrowed down the problem to the password. I can create an Enabled account with no password and setting userAccountControl to 544, so I think the issue is with the way I am setting the password field. Bloob is about to pop, any help would be appreciate it.

Comment Section Requested Info: Password:

originally I was setting the password like:

//$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password

Than Someone suggested to try to set it like:

$newPassword = $this->password;
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$this->newUserEntry["unicodePwd"] = $newPass;
  • 写回答

1条回答 默认 最新

  • douxiawei9318 2018-02-16 03:22
    关注

    Hopefully this will help someone, the reason I couldn't create an account in active state was due not not being able to set the attribute unicodePwd and this was due to not being able to connect over LDAPS.

    I couldn't connect over LDAPS due to lack of the needed certificate and some configurations.

    Resolution:

    1-

    a. Create following folders in your C: Directory (At the same level you see your phps top folder)

    openldap -> sysconf
    

    b. In sysconf folder:

    b1. create a ldap.conf file and add the following lines:

       TLS_CACERT C:\openldap\sysconf\ssl\cacert.pem
       TLS_REQCERT     never 
    

    b2. create a folder in sysconf named ssl:

       you will put a `certificate` in there (look at part 2 for details)
    

    2- go to the host that hosts your Active directory, ask your Admin to do perform the instructions in the link below, and put the cert in ssl folder, also remember to convert the cert using openSSL:

    https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx 
    

    3- You can use the script below to test:

    <?php
    
      $ldaphost = "ldaps://hostNameOfDC.DCName.com";
      $ldapUsername  = "adminUser@DCName.com";
      $ldapPassword = "adminPASS";
    
      $ds = ldap_connect($ldaphost,636);
      if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
      print "Could not set LDAPv3
    ";
      }
      else {
    // now we need to bind to the ldap server
         $bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("
    Could not connect to LDAP server
    ");
      }
    
      if($bth){ echo"WEEEE you did it"; }
    
    ?>
    

    4- How to set unicodePwd (password credit to):

            $newPassword = "\"" . $newPassword . "\"";
            $newPass = mb_convert_encoding($newPassword, "UTF-16LE");
            $this->newUserEntry["unicodePwd"] = $newPass;
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 WPF 大屏看板表格背景图片设置
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示