首先,这可能不是一个编程问题,更多的是我如何配置LDAPS问题,但这里...
Background Info:
我有两台Windows 2008 R2服务器 . 一个是带有Active Directory(AD)的域控制器(DC),我想通过LDAP与之通信 . 这个名为TestBox.TestDomain.local . 另一台服务器正在运行IIS,PHP(带有ldap和openssl)和mySQL .
What is/isn't working:
我可以成功连接到DC不安全的端口389,并将数据读/写到AD . 我不能做的是更改或设置用户密码,因为这需要通过端口636使用LDAPS(LDAP w / SSL)进行安全连接 .
What I need help with:
我尝试使用以下信息安装Active Directory证书服务(AD CS)并将DC配置为证书颁发机构(CA):http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx但无论我尝试什么,我都无法通过LDAPS Build 连接 .
Sample Code:
创建LDAP连接
function ldapConnect(){
$ip = "100.200.300.400"; // WAN IP goes here;
$ldap_url = "ldap://$ip";
$ldaps_url = "ldaps://$ip";
$ldap_domain = 'testdomain.local';
$ldap_dn = "dc=testdomain,dc=local";
// Unsecure - WORKS
$ldap_conn = ldap_connect( $ldap_url ) or die("Could not connect to LDAP server ($ldap_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 389 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 389)");
// Secure - DOESN'T WORK
//$ldap_conn = ldap_connect( $ldaps_url ) or die("Could not connect to LDAP server ($ldaps_url)");
//alternate connection method
//$ldap_conn=ldap_connect( $ip, 636 ) or die("Could not connect to LDAP server (IP: $ip, PORT: 636)");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$username = "AdminUser";
$password = "AdminPass";
// bind using admin username and password
// could also use dn... ie. CN=Administrator,CN=Users,DC=TestDomain,DC=local
$result = ldap_bind($ldap_conn, "$username@$ldap_domain", $password ) or die("<br>Error: Couldn't bind to server using supplied credentials!");
if($result){
return $ldap_conn;
}else{
die("<br>Error: Couldn't bind to server using supplied credentials!");
}
}
将新用户添加到Active Directory
function ldapAddUser($ldap_conn, $ou_dn, $firstName, $lastName, $username, $pwdtxt, $email){
$dn = "CN=$firstName $lastName,".$ou_dn;
## Create Unicode password
$newPassword = "\"" . $pwdtxt . "\"";
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++) {
$newPassw .= "{$newPassword{$i}}\000";
}
$ldaprecord['cn'] = $firstName." ".$lastName;
$ldaprecord['displayName'] = $firstName." ".$lastName;
$ldaprecord['name'] = $firstName." ".$lastName;
$ldaprecord['givenName'] = $firstName;
$ldaprecord['sn'] = $lastName;
$ldaprecord['mail'] = $email;
$ldaprecord['objectclass'] = array("top","person","organizationalPerson","user");
$ldaprecord["sAMAccountName"] = $username;
//$ldaprecord["unicodepwd"] = $newPassw;
$ldaprecord["UserAccountControl"] = "544";
$r = ldap_add($ldap_conn, $dn, $ldaprecord);
// set password .. not sure if I need to base64 encode or not
$encodedPass = array('userpassword' => base64_encode($newPassw));
//$encodedPass = array('unicodepwd' => $newPassw);
echo "Change password ";
if(ldap_mod_replace ($ldap_conn, $dn, $encodedPass)){
echo "succeded";
}else{
echo "failed";
}
}
3 回答
您是否使用正确的OID为安全Ldap创建了证书请求?
这是我的inf文件:
你应该使用2003年在CA上制作一个模板(并非所有MICROSOFT产品都可以使用2008模板 - 我知道愚蠢的HUH)从域控制器复制它,然后在OIDS上使用KITCHEN SINK
只有两条建议:
在AD CS设置期间,在 Specify Setup Type 页面中,单击 Enterprise ,然后单击“下一步” .
AD服务应该自己获取自己的证书,但是如果它在Windows Server 2003中工作,则必须重新启动服务器才能使其正常工作 . 也许只需停止并重启W2K8 R2中的服务即可 .
更确切地说,您可以尝试构建证书并将其安装在AD服务帐户上,就像您可以使用ADAM完成它一样 .
只需将您的连接视为信任 . 然后它将不再需要证书 . 看看
javax.net.sslTrustManager
.