I have written a script to reset a user's Windows password through PHP. I've used LDAP to access and modify other information in Active Directory, but am unable to change the user's password (unicodePwd) field.
The script connects and binds successfully, but throws the following error when it tries to ldap_modify the password attribute:
Modify: Server is unwilling to perform.
It has no problem modifying other Active Directory fields.
I am running PHP 4.3 on a Windows 2000 machine running IIS 5.0 which connects to a domain controller that has an SSL certificate given by our domain's certificate authority server.
The SSL certificate meets all of MS's requirements outlined in:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321051
and all of the SSL certificate requirements described in this pdf:
http://www.w2k.vt.edu/docs/MSVT_Certificates.pdf
I've seen other people connecting to LDAP with ldaps://domain.com. This, however, will always fail to bind for me. Connecting as ldap://domain.com (no 's') succeeds.
However, the ldp.exe tool MS mentions appears to connect and communicate on the LDAPS port 636 flawlessly. The Windows system event logs indicate that SChannel handshaking is completed successfully.
I am unsure if it is a problem in the SSL certificate, in PHP's configuration, or something else.
I have searched extensively but have not found any definitive answer or guide to this problem on the internet.
Any takers?
John Van Atta
