Active Directory and PHP problem

i_s_r_a_e_l

Hello,
I've got problem with adding user in Active Directory domain on Windows 2k3 server.
I've found in php.net some examples and on other sites but I cant still add new user - I've got LDAP_OPERATIONS_ERROR.
Everything is ok if i try to search or remove user.


  //connecting
  $ad = ldap_connect("ldap://192.168.1.1")
        or die("Couldn't connect to AD!");

  if (ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3)) {
         echo "Using LDAPv3<br>";
      } else {
              echo "Failed to set protocol version to 3<br>";
      }
      if (ldap_set_option($ad, LDAP_OPT_REFERRALS,0)) {
         echo "Set REFERRALS 0<br>";
      } else {
              echo "Failed to set REFERRALS 0<br>";
      }

  //binding
  if($bd = ldap_bind($ad,"Administrator@projekt.isri","hasloadministratora")
        or die("Couldn't bind to AD!")){
              echo "Bind domain<br>";
        } else {
              echo "Bind domain failed<br>";
        }

/*
below is the part of code that I use to add user.

Here is the result
Warning: ldap_add() [function.ldap-add]: Add: Operations error in
.../ldaptest.php on line ...
There is a problem to create the account
Please contact your administrator !
LDAP-Errno: 1
LDAP-Error: Operations error

and the code:
*/

  $adduserAD["cn"][0] = "test";
      $adduserAD["instancetype"][0] = "4";
      $adduserAD["samaccountname"][0] = "test";
      $adduserAD["objectclass"][0] = "top";
      $adduserAD["objectclass"][1] = "person";
      $adduserAD["objectclass"][2] = "organizationalPerson";
      $adduserAD["objectclass"][3] = "user";
      $adduserAD["displayname"][0] = "test";
      $adduserAD["name"][0] = "Test";
      $adduserAD["givenname"][0] = "Test";
      $adduserAD["sn"][0] = "Test";
      $adduserAD["company"][0] = "Test";
      $adduserAD["department"][0] = "Test";
      $adduserAD["title"][0] = "Test";
      $adduserAD["description"][0] = "bka";
      $adduserAD["mail"][0] = "bla@test.com";
      $adduserAD["initials"][0] = "T";
      $adduserAD["userprincipalname"][0] = "test";

  if (!(ldap_add($ad,"CN=test,OU=Users,DC=domain",$adduserAD))){
      echo "There is a problem to create the account<br>";
      echo "Please contact your administrator !<br>";
      echo "LDAP-Errno: " . ldap_errno($ad) . "<br />";
      echo "LDAP-Error: " . ldap_error($ad) . "<br />";
      exit;
  }

/*
here is the part of the code that I use to remove user and its works
  $dn = "CN=test,CN=Users,DC=domain";
  $result = ldap_delete($ad, $dn);
  if ($result) {echo "User deleted!";}
      else {echo "There was a problem!";}
*/

Thanks

bradgrafelman

Ok, so I'm a noob and only use the handy Active Directory GUI's (not ADSI edit or anything like that), so I've pretty much forgotten all of the CN/OU/etc. paths, so forgive me if I sound uneducated in this matter, because.. I am! 🙁

Anyway, when deleting a user, you reference "Users" using its Canonical Name (at least I think that's what CN is), whereas when adding a User, you reference it as an Organizational Unit. Is this the way it's supposed to be done? As I said, I don't remember AD paths and whatnot, so I'm just blindly guessing here...

i_s_r_a_e_l

I think thats DN is ok - it works when i use it in command line on the server.

txuk

Is this thread still active?

Found this while googleing for 'adding user to active directory with php', and registered to try and help you out as im interested in the same goal.

Think i may be able to get you over this hurdle.

I went through hell trying to write a simple PHP script that changed the password of one of our accounts, that our admins could use through our intranet.

It turns out that although a standard ldap connection is fine for changing/viewing most fields. a SSL Ldap connection MUST be used for anything todo with changeing a password field in active directory. (this allows Active directory to ensure password security)

So your problem could be the fact that your 'add user' script, at some point, needs a password sent to AD, and this is where its falling over.

Anyway, All the resources i found for getting an SSL Ldap session to a win server box (and making it work!) were outdated, or gave you page not found errors on the last bit you needed! So if your interested i could try and dig out my notes on what i did?

From what i remember. You need to setup a certificate server on your win2k3 box, and then copy the CA certificate from that server to the webserver you are running the php on. Then tell your ldap configuration on the webserver to use a specific cert (The one you just copied)

After that it should be as simple as changing ldap://serverip
to ldaps://serverip

or (if that dosnt work) ldaps://serverip:636 (as Ldap over SSL uses port 636)

I would get you the notes now, but our routers are down at work, so its the one night i can't connect in!!

Anyway, hope this helps, sorry its such a long post, and i wouldnt mind seeing your code if you gettit working? (if thats ok?)

Regards,
TX