Permissions issue preventing inception of greatest time saving webpage ever

[browolf]

To save teachers, pupils and our time changing kids domain passwords.

 

<%


'on error resume next

strUser                 = "{domain admin account}"
strPword                = "{password}"
Const ADS_SECURE_AUTHENTICATION = &H1
const ADS_SERVER_BIND= &H200
Const ForReading = 1, ForWriting = 2

username=request.querystring("username")
email=request.querystring("email")


set oDSP = GetObject("LDAP:")
set ouser = oDSP.OpenDSObject("LDAP://cn=" & username & ",ou=pupils,dc=domain,dc=lancs,dc=sch,dc=uk",strUser,strPword,ADS_SECURE_AUTHENTICATION and ADS_SERVER_BIND)

fullname=ouser.displayname
descriptionx=ouser.description

if fullname>"" then 


%>


Processing password change for <%=fullname%>
(<%=descriptionx%>)


<%
'formulate password
Randomize
dim myvalue,passcol
MyValue = Int((10 * Rnd) + 1)
select case myvalue
	case "1"  passcol = "orange"
	case "2"  passcol = "red"
	case "3"  passcol = "green"
	case "4"  passcol = "monkey"
	case "5"  passcol = "blue"
	case "6"  passcol = "cabbage"
	case "7"  passcol = "donkey"
	case "8"  passcol = "purple"
	case "9"  passcol = "orange"
	case "10"  passcol = "pink"
end select
Randomize
dim mynum
Mynum = Int((999 * Rnd) + 1)
password = passcol & mynum

response.write password & "
"
'response.write Request.ServerVariables("REMOTE_USER")

ouser.setpassword(password)
'ouser.put "userPassword", password
'ouser.setinfo


%>










<% else %>


Error Occurred: Send pupil to T13

<%end if%>

[Steve21]

Out of curiosity, Wouldn't this give the "teachers?" (assuming this is who the webpage goes to) full control to change any users password? Just by changing the "ou=pupils" ? Or does all that part stay hidden? (Newbie at websites)

 

Steve

[browolf]

whoops pressed post before I'd explained the problem, and then a bunch of people turned up and I couldn't get back it.

 

if I don't use ads_server_bind, I get permission denied on the password line.

if I do use ads_server_bind I have the error "One or more input parameters are invalid " on the password change line.

 

these both occur despite successfully opening and querying the user object with the embedded domain admin account. displayname and description are successfully retrieved and displayed.

 

I need it to change the password using the credentials given and for it not to try and use any others that might give permission errors. Teachers don't have change password permissions but the whole purpose of the design is that they don't need it. The bit I haven't written yet is when the new password is emailed to them not shown on the screen. I read tonnes of web pages on the matter but haven't found anything particularly helpful. any ideas?

 

 

@Steve21. the asp code part is processed on the server and not included in the webpage delivered to the user.