PHP LDAP to change Active Directory samAccountName?

0
votes

Our policy for people who are terminated/separated or who go on leave of absence involves a handful of changes to their AD account for record keeping purposes and security. One of these changes is renaming the account (login name, display name and dn) to a value that includes the original name with the help desk ticket number appended.

I have been able to use ldap_rename() to change the active directory "name" attribute, thus changing the DN. I can change the displayName attribute using either ldap_modify() or ldap_mod_replace(). What I cannot seem to do is change the samAccountName using any of these. Below is the core of the code I'm using. The errors I get are dependent upon which function I use, and are listed below.

I know there are some nuances to using PHP LDAP with Active Directory, but I find it hard to believe that I have been able to do everything up to and including changing passwords and I can't change the samAccountName... help?

<?php
 $connection=ldap_connect(domain.local,389);
 ldap_set_option($connection,LDAP_OPT_PROTOCOL_VERSION,3);
 ldap_set_option($connection,LDAP_OPT_REFERRALS,0);
 ldap_start_tls($connection);
 ldap_bind($connection,$username,$password);

 $accountName=$_POST["accountName"];
 $ticketNumber=$_POST["ticketNumber"];
 $baseDn="dc=domain,dc=local";
 $attribs=array("samaccountname","dn","name","displayname","description","info","memberof");

 $search=ldap_search($connection,$baseDn,"(samaccountname=".$accountName.")",$attribs);
 $result=ldap_get_entries($connection,$search);


// ldap_modify returns error 80: Internal (implementation specific) error.
 foreach ($result as $account) {
  $newValues=array("samaccountname"=>$account["samaccountname"][0]."-".$ticketNumber)
 ldap_modify($connection,$account["dn"],$newValues);
 }

// ldap_mod_replace returns error 80: Internal (implementation specific) error.)
 foreach ($result as $account) {
  $newValues=array("samaccountname"=>$account["samaccountname"][0]."-".$ticketNumber)
 ldap_mod_replace($connection,$account["dn"],$newValues);
 }
?>

So yeah, what is it I'm supposed to be doing to make this happen?

1
phpactive-directoryldap
What is the length of your request ticket number? Is your samaccountname valid?StuR
Your code is vulnerable to LDAP injection attacks.jmkeyes
@user2004615 Can you do it manually using LDAP S/WSparKot
@SparKot sorry I'm just getting back to this. Yes, I can do it with Apache Directory Studio.James Brandon

1 Answers

0
votes

The "implementation specific" error message you're receiving means that your sAMAccountName is invalid because it doesn't meet specific AD restrictions on it. The sAMAccountName attribute cannot be more than 20 characters and cannot contain any of the following: " [ ] : ; | = + * ? < > / \ ,. It might be helpful to see an example username with the ticket number appended.