Cannot Create Enabled AD User Accounts With PHP LDAP Calls

jimity

Hi There,

My apologies if this has been covered before. Consider me a n00b 🙂

I'm currently trying to learn the PHP LDAP calls in a test environment consisting of.:

Windows Server 2003
Active Directory
IIS
PHP (using ISAPI)

I'm currently learning the calls with sample code found on the net. Everything appears to be working fine. The AD User Account is created and shown in AD. The only problem is it is listed as disabled. I've tried to set the "userAccountControl" identifier/variable with the code "512" and even "66048", however when I try and execute the code with this identifier/variable specified, my error feedback in the script reports an error "53:Server is unwilling to perform".

None of the searches I've done on the net seem to explain exactly why this is occurring or how to solve it. I have seen info though that would suggest I need SSL enabled (through IIS?) in order to set this identifier/variable.

Is anyone able to give me an idea on why this error is happenning, why all my AD User Accounts are created in a disabled state, and how I can go about fixing my test environment so my AD User Accounts are created enabled ?

A big thanks in advance to anyone who can explain this one to me. . . 🙂

quaffapint

Are you setting the password and having the account created, prior to setting the UAC? And th SSL, I believe, is referring to LDAP SSL, which requires something like OpenSSL on the server and SSL enabled on the AD DC you are pointing to.

jimity

Hi,

The "basic" code I'm using is as follows.:

// Username used to connect to the server
$username = "administrator";

// Password of the user.
$password = "p@ssw0rd";

// Domain used to connect to.
$domain = "testdomain.com";

// Proper username to connect with.
$domain_username = "$username" . "@" . $domain;

// User directory. Such as all users are placed in
// the Users directory by default.
$user_dir = "CN=Users,DC=testdomain,DC=com";

// Either an IP or a domain.
$ldap_server = "192.168.1.100";

// Get a connection
$ldap_conn = ldap_connect($ldap_server);

// Set LDAP_OPT_PROTOCOL_VERSION to 3
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die ("Could not set LDAP Protocol version");

// Authenticate the user and link the resource_id with
// the authentication.
if($ldapbind = ldap_bind($ldap_conn, $domain_username, $password) == true)
{
// Setup the data that will be used to create the user
// This is in the form of a multi-dimensional
// array that will be passed to AD to insert.
$adduserAD["cn"] = "testuser";
$adduserAD["sn"] = "User";
$adduserAD["samaccountname"] = "testuser";
$adduserAD["objectClass"] = "user";
$adduserAD["displayname"] = "Test User";
$adduserAD["userPassword"] = "p@ssw0rd";
$adduserAD["userAccountControl"] = "512";

$base_dn = "cn=testuser,cn=Users,DC=testdomain,DC=com";

// Display some "waiting" text.
echo "Trying to add the user to the system ...<br>";

// Attempt to add the user with ldap_add()
if(ldap_add($ldap_conn, $base_dn, $adduserAD) == true)
{

  // The user is added and should be ready to be logged
  // in to the domain.
  echo "User added!<br>";

}else{

  // This error message will be displayed if the user
  // was not able to be added to the AD structure.
  echo "Sorry, the user was not added.<br>Error Number: ";
  echo ldap_errno($ldap_conn) . "<br />Error Description: ";
  echo ldap_error($ldap_conn) . "<br />";

}
}else{
echo "Could not bind to the server. Check the username/password.<br />";
echo "Server Response:"

// Error number.
. "<br />Error Number: " . ldap_errno($ldap_conn)

// Error description.
. "<br />Description: " . ldap_error($ldap_conn);
}

// Always make sure you close the server after
// your script is finished.
ldap_close($ldap_conn);

It doesn't seem to matter where I place the UAC code line, be it before or after account creation, or even if I try and make another script to modify the entry. I always get the same error.

scrupul0us

read the examples on the man page, someone said they had to use "544" to enable the account... give that whirl

or query the AD and see what an active users setting/number is

jimity

The plot thickens . . . 🙂

Specifying the 'userAccountControl' to 544 does indeed create the account in an enabled state, although it doesn't apply the password specified by 'userPassword' and keeps the option "User must change password at next logon" selected.

Having said this, setting the 'userAccountControl' to 66080 still doesn't apply the password specified by 'userPassword' but at the same time doesnt set the option "User must change password at next logon". Instead it sets the option "password never expires" as selected - something I also dont really want to have from a security point of view.

Meanwhile, querying the 'userAccountControl' within AD on an account created through the "Windows AD Wizard" method of doing things provides the value of 512 - the exact same value I've been reading as what should be required. Using the "Windows AD Wizard" way of doing thngs also keeps the set password and doesn't set either of these options mentioned above - just how I want it.

Meanwhile using VBScript works perfectly (but i dont want to have to do it that way). Any other things I can try to get this working ? Its becoming more and more a case of "because I should be able to" 🙂

jimity

OK. . . From scouring bits and pieces of the net, here's what I've found. I understand a fair bit of the theory here but am trying to simplify it a bit for anyone who has the same issue and comes accross this post. 🙂

Using the code listed in my previous post will allow you alter general properties of a user account and even create an account - albeit in a disabled state (assuming you dont use the 'userAccountControl' identifier whatsoever.

If you want to specify the account to have say a default password, using the 'userPassword' identifier and/or even create the account in an enabled state with that password set and the 'userAccountControl' identifier set to "512", then you have to step up to another tier so to speak. LDAP (atleast the Microsoft Active Directory implementation of it) treats these identifiers and access to manipulate them as requiring secure elevated access (obviously because this level of account creation / password specification could give some security issues if left available through the previously posted script). For this purpose, the LDAP protocol includes a secured tier known as "LDAPS" and connections are made to it on port "636" (the default port used when you connect normally is "389").

In order to connect with the LDAPS protocol on port "636" via PHP and ones web browser, a secure connecton through the browser and to the (web?) server needs to be made. In order to do this you need to use Certificates / a Certificate Authority and SSL (Secure Sockets Layer) to secure the connection between the client browser and the server, which in turn will then report/set the 'userAccountControl' identifier in Active Directory via an encrypted communication.

So the end solution here appears to be that SSL needs to be configured on my server in order to report back to the LDAPS protocol in an encrypted fashion. The only problem here is that I have no idea on how to set this up be it with the Certificate Authority included with Windows Server 2003 or the open source alternative OpenSSL (it has a windows variant). A lot of the examples out there, which seem to be sporadic at best, appear to use OpenSSL as the SSL solution. Those examples, however, also appear to include the use of the OpenLDAP solution and a unix/linux box - something which I dont think I need because.:

I'm using MS Active Directory on a Windows Server 2003 box with IIS (not
Apache), and
I want to achieve this using pure Windows - no unix/linux boxes.

At this stage I've come to the point where I'm 90% sure, correct me if i'm wrong, I know what the problem is in me not being able to achieve what was spoken about in my original posting. Unfortunately though I have no idea on how to achieve/implement a solution that will allow me to achieve what was spoken about in my original posting (i.e being able to set a newly created user account to "Enabled" as a result of the 'userAccountControl' identifier being set to "512"). I dont really want to mark this posting as "RESOLVED" as in truth I havent come to a solution that has worked ( therefore its not truly resolved 🙂 ) but also dont know what else I can really do as I'm out of idea's.

If anyone comes across this post and feels like a challenge, then I'm more than happy to pass on the batten while offering to test out any potential solutions that may be offered. Other than that, I've hot a brick wall of sorts. . .

GeoCoder

The userAccountControl attribute has to be numerical data type (do not use the quotes).
So change the following line:
$adduserAD["userAccountControl"] = "512";
to:
$adduserAD["userAccountControl"] = 512;

I personally use 544, but 512 should also work :-)