Home > Archive > PERL Miscellaneous > March 2005 > How to access Windows IIS User Info with Perl
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to access Windows IIS User Info with Perl
|
|
| BigNin 2005-03-29, 8:57 pm |
| I have a Perl script which runs on a Unix server with apache as the
http server. With the use of an .htaccess file, only users that login
with basic authentication are able to run the script. This script is
only available on the intranet so it's internal company use only. The
perl script compares the authenticated username with a text file which
contains groups to which certain employees belong and serves different
HTML depending on the user's group memberships.
In our IT department's infinite wisdom, they have moved us to a Windows
2003 server running IIS. I've made the modifications to my script so
that it runs, but the IIS server is configured for Windows
Authentication. The IT department states that this allows users to
login into the network when they first turn on their PC and then the
users don't have to enter any additional usernames or passwords to
authenticate with IIS and my script. My group text file has now been
converted to Windows security groups.
I have searched HotScripts.com, ActiveState.com, and Google and I can
not find any example of how to get perl to read Windows security groups
and tell me which ones the user belongs to. I'm guessing that someone
somewhere has done this before.
My administrators gave me some ASP code that supposedly can do what I
want, but that doesn't really help me do it in perl. For reference, I
have included it below:
Public Function Groups(ByVal SearchResult As
System.DirectoryServices.SearchResult) As String
Dim i As Integer
Dim tmp As String
Dim groupSid As Object
Dim sid() As Byte
Try
Dim de As DirectoryEntry = SearchResult.GetDirectoryEntry
'pull username and password from web.config file.
de.Username =
Configuration.ConfigurationSettings.AppSettings("User")
de.Password =
Configuration.ConfigurationSettings.AppSettings("Pass")
de.RefreshCache(New String() {"tokenGroups"})
'this line is sometimes necessary to get tokenGroups in the
property cache...
'loop through each sid in the tokenGroups
For Each groupSid In de.Properties("tokenGroups")
'just another way of doing a ctype.
sid = DirectCast(groupSid, Byte())
'set up the groupentry for query
'ConvertToOctetString is the important part here. This is
where the real work is.
Dim groupEntry As New
DirectoryEntry(String.Format("LDAP://", ConvertToOctetString(sid)))
Dim propcoll As PropertyCollection = groupEntry.Properties
Dim key As String
Dim values As Object
'loop through all of the properties for this record
For Each key In propcoll.PropertyNames
'loop through all the values associated with our key
For Each values In propcoll(key)
If LCase(key) = "distinguishedname" Then
Dim temp As String = values.ToString
If Not InStr(temp, "ImportedExchange") Then
Dim atemp() As String = temp.Split(",")
tmp &= Replace(atemp(0).ToString, "CN=", ",")
If Left(tmp, 1) = "," Then
tmp = Mid(tmp, 2)
End If
End If
End If
Next
Next
Next
Catch ex As Exception
'process exception
End Try
Return tmp
End Property
'overload for lazy programming
Public Overloads Shared Function ConvertToOctetString(ByVal values As
Byte()) As String
Return ConvertToOctetString(values, False, False)
End Function
'overload for lazy programming
Public Overloads Shared Function ConvertToOctetString(ByVal values As
Byte(), _
ByVal isAddBackslash As Boolean) As String
Return ConvertToOctetString(values, isAddBackslash, False)
End Function
'This is where the work really comes in. This method allows us to
convert the sid
'into a usable string that LDAP can use to search for the groups this
user belongs to.
Public Overloads Shared Function ConvertToOctetString(ByVal values As
Byte(), _
ByVal isAddBackslash As Boolean, ByVal isUpperCase As Boolean) As
String
Dim iterator As Integer
Dim builder As System.Text.StringBuilder
Dim slash As String
If isAddBackslash Then
slash = "\"
Else
slash = String.Empty
End If
Dim formatCode As String
If isUpperCase Then
formatCode = "X2"
Else
formatCode = "x2"
End If
builder = New System.Text.StringBuilder(values.Length * 2)
For iterator = 0 To values.Length - 1
builder.Append(slash)
builder.Append(values(iterator).ToString(formatCode))
Next
Return builder.ToString()
End Function
Thanks in advance to any suggestions.
| |
| Ted Zlatanov 2005-03-29, 8:57 pm |
| On 29 Mar 2005, page.nix@gmail.com wrote:
> I have a Perl script which runs on a Unix server with apache as the
> http server. With the use of an .htaccess file, only users that login
> with basic authentication are able to run the script. This script is
> only available on the intranet so it's internal company use only. The
> perl script compares the authenticated username with a text file which
> contains groups to which certain employees belong and serves different
> HTML depending on the user's group memberships.
>
> In our IT department's infinite wisdom, they have moved us to a Windows
> 2003 server running IIS. I've made the modifications to my script so
> that it runs, but the IIS server is configured for Windows
> Authentication. The IT department states that this allows users to
> login into the network when they first turn on their PC and then the
> users don't have to enter any additional usernames or passwords to
> authenticate with IIS and my script. My group text file has now been
> converted to Windows security groups.
....
> My administrators gave me some ASP code that supposedly can do what I
> want, but that doesn't really help me do it in perl.
It looks like you are using ActiveDirectory, which has a LDAP
interface. You could use Net::LDAP to do the equivalent of the ASP
code (lookups only). A LDAP browser such as gq for Linux can help you
inspect the specific structure of the user records. I don't know if
you can get all the information you need through LDAP, but I hope so :)
Ted
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
| |
| Big and Blue 2005-03-29, 8:57 pm |
| BigNin wrote:
>
> In our IT department's infinite wisdom, they have moved us to a Windows
> 2003 server running IIS. I've made the modifications to my script so
> that it runs, but the IIS server is configured for Windows
> Authentication.
You think MS Windows would allow any choice?
> The IT department states that this allows users to
> login into the network when they first turn on their PC and then the
> users don't have to enter any additional usernames or passwords to
> authenticate with IIS and my script.
So they login, walk away and anyone else walking past has full access
to all Web sites as them. Odd why some people see single sign-on as secure...
> My administrators gave me some ASP code that supposedly can do what I
> want, but that doesn't really help me do it in perl.
Can you get the login id? If you can, then you shoudl be abel to query
ActiveDirectory using the Net::LDAP modules to look up group membership.
But until you get the login id then you can't do anything. I suppose its
too much to expect IIS to set an environment variable? (That is part of
the CGI standard, but no idea whether MS adhere to any standards here).
> de.Password =
> Configuration.ConfigurationSettings.AppSettings("Pass")
The Web server allows you to read users MS passwords???
--
Just because I've written it doesn't mean that
either you or I have to believe it.
| |
| BigNin 2005-03-30, 3:59 am |
|
Big and Blue wrote:
> BigNin wrote:
Windows[color=darkred]
so[color=darkred]
>
> You think MS Windows would allow any choice?
I'm certainly not an IIS expert, in fact, I've only played around with
it now for 2 days, but I did notice under the security options that it
allowed for Basic Authentication, Windows Authentication (or whatever
they called it), and one or two other options. It looks like our
administrators are not giving us any options though. We must use the
Windows based one.
>
the[color=darkred]
>
> So they login, walk away and anyone else walking past has full
access
> to all Web sites as them. Odd why some people see single sign-on as
secure...
You're preaching to the choir here. We've been through this before.
It is the general opinion here that all users are supposed to lock
their workstations when they leave them and in fact the machines lock
themselves after 15 min of inactivity. Albeit flawed, this is the best
option available to us for a few reasons. For starters, most users
tell their browser to remember their username and password anyway, so
it wouldn't matter if they logged out of the application. But more
importantly, the data viewed through this application is data that can
be obtained via a printed report that many people receive. This means
that if I really wanted to steal the information, I just need to walk
up to someone's desk when they aren't there and grab the report, so
security in the case of this application is more for logging of who is
reading what and when and not so much a matter of keeping someone out.
> Can you get the login id? If you can, then you shoudl be abel to
query
> ActiveDirectory using the Net::LDAP modules to look up group
membership.
> But until you get the login id then you can't do anything. I suppose
its
> too much to expect IIS to set an environment variable? (That is part
of
> the CGI standard, but no idea whether MS adhere to any standards
here).
Thanks. I'll do some testing and look into grabbing the id. I'm
hoping that the REMOTE_USER variable is indeed available. I'm
unfamiliar with the Net::LDAP modules, so I'll have to read up on those
and see how they work. Do you know if they are part of a standard
ActiveState Perl install? If not, I'll have to get the admins to
install it.
>
>
> The Web server allows you to read users MS passwords???
>
It looks that way from the code, but I sure hope not. The ASP code
that I included was emailed to me from one of the admins and I haven't
tested it. It wasn't intended for me to necessarily run it... more as
a guideline to help me figure out how I would accomplish the same thing
in perl.
| |
| A. Sinan Unur 2005-03-30, 3:59 am |
| "BigNin" <page.nix@gmail.com> wrote in
news:1112146285.087096.206560@z14g2000cwz.googlegroups.com:
> I'm unfamiliar with the Net::LDAP modules, so I'll have to read
> up on those and see how they work. Do you know if they are part
> of a standard ActiveState Perl install? If not, I'll have to get
> the admins to install it.
Well, first off, good luck.
Second, MSDN might have detailed information on what information is
supplied to your script when running under Windows authentication.
As for module installation, the following FAQ entry might be useful:
perldoc -q lib
at least when you are testing.
Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)
comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/c...guidelines.html
| |
| Thomas Kratz 2005-03-30, 8:59 am |
| BigNin wrote:
> I have a Perl script which runs on a Unix server with apache as the
> http server. With the use of an .htaccess file, only users that login
> with basic authentication are able to run the script. This script is
> only available on the intranet so it's internal company use only. The
> perl script compares the authenticated username with a text file which
> contains groups to which certain employees belong and serves different
> HTML depending on the user's group memberships.
>
> In our IT department's infinite wisdom, they have moved us to a Windows
> 2003 server running IIS. I've made the modifications to my script so
> that it runs, but the IIS server is configured for Windows
> Authentication. The IT department states that this allows users to
> login into the network when they first turn on their PC and then the
> users don't have to enter any additional usernames or passwords to
> authenticate with IIS and my script. My group text file has now been
> converted to Windows security groups.
>
> I have searched HotScripts.com, ActiveState.com, and Google and I can
> not find any example of how to get perl to read Windows security groups
> and tell me which ones the user belongs to. I'm guessing that someone
> somewhere has done this before.
>
> My administrators gave me some ASP code that supposedly can do what I
> want, but that doesn't really help me do it in perl. For reference, I
> have included it below:
[snipped horrable ASP code]
try this:
use strict;
use warnings;
use Win32::OLE qw/in/;
Win32::OLE->Option(Warn => 1);
my($domain, $user) = @ARGV;
my $path = "WinNT://$domain/$user";
my $o_user = Win32::OLE->GetObject($path) or die Win32::LastErr();
foreach my $group ( in($o_user->Groups()) ) {
print $group->Name, "\n";
}
Thomas
--
$/=$,,$_=<DATA>,s,(.*),$1,see;__END__
s,^(.*\043),,mg,@_=map{[split'']}split;{#>J~.>_an~>>e~......>r~
$_=$_[$%][$"];y,<~>^,-++-,?{$/=--$|?'"':#..u.t.^.o.P.r.>ha~.e..
'%',s,(.),\$$/$1=1,,$;=$_}:/\w/?{y,_, ,,#..>s^~ht<._..._..c....
print}:y,.,,||last,,,,,,$_=$;;eval,redo}#.....>.e.r^.>l^..>k^.-
|
|
|
|
|