Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Problems with Win32::OLE and ADSI

by rob_au (Abbot)
on Sep 09, 2002 at 03:13 UTC ( [id://196143]=perlquestion: print w/replies, xml ) Need Help??

rob_au has asked for the wisdom of the Perl Monks concerning the following question:

Fellow monks, I am experiencing some problems with a script which employs Win32::OLE to bridge the gap to Windows ADSI in a similar fashion to that described in this article on perl.com. The problem which I am running into, I am sure is permission related within the IIS (5.0) environment, however am having problems confirming this.

My shortest test-case code is as follows ...

#!d:/Perl/bin/Perl.exe use CGI; use CGI::Carp; use Win32::OLE; use strict; my $cgi = CGI->new; print STDOUT $cgi->header; my ($username, $password) = ('myusername', 'mypassword'); my $objNameSpace = Win32::OLE->GetObject('LDAP:') or croak( 'Cannot create LDAP object - ', $! ); my $objObjSec = $objNameSpace->OpenDSObject( 'LDAP://DC=mydomain,DC=com', $username, $password, 1 ); if (Win32::OLE->LastError() == 0) { print STDOUT "Success!\n"; $objObjSec->close; } else { print STDOUT "Failure!\n"; } $objNameSpace->close; exit 0;

The objective of this code is to take username and password details supplied and authenticate them against the Windows 2000 Active Directory. When run from the command line, this code executes without errors or warnings, yet when executed from within the IIS environment, the authentication lookup fails, despite accurate username and password details having been supplied.

Digging deeper into this problem, I have found that the OpenDSObject call is returning a HRESULT error code of 0x8007202 - I have not however been able to determine the cause of this error message as per the instructions on the MSDN site here.

This failure of execution within the IIS environment, but success from the command line very much suggests to my mind that this is a permission problem of sorts, however I am at a loss as to where to look next to resolve this problem.

 

Replies are listed 'Best First'.
Re: Problems with Win32::OLE and ADSI
by blm (Hermit) on Sep 09, 2002 at 04:53 UTC

    I had some really cool ideas on things to try then I found a machine on which I tested your code. It works for me ;-P. All I did was copy and paste then update the values for $username and $password, the path for perl.exe and the LDAP:// path. I am using activestate perl 5.6.1 build 633 active package (not msi) on Windows 2000 server with SP2

    Changed: I did this with NTLM auth turned on in IIS. This confirms the earlier post the I couldn't test. Switching auth modes may help get rid the problem

    I guess that you don't want to change the auth mode so I got rid of the NT Integrated Auth for more testing. Indeed I straight away got an error message with HRESULT = 0x8007202a. Looking here at MSDN I get the following:

    0x8007202aL LDAP_AUTH_UNKNOWN ERROR_DS_AUTH_UNKNOWN

    Based on this error and the URL for the man page equivalent for the function in question (OpenDSObject), I changed the username to the UPN of the administrator and the script worked. I then substituted the old Winnt form (DOMAIN\administrator) and it also worked Then I changed it to administrator and it didn't work again.

    Of course, the error HRESULT value I get is different to the decimal value I got off you from chatterbox. But is it the same as the hex value I got at the same time? The hex value in the article is missing a digit I think, because they all seem to be 32bit in MSDN.

    Also you might find that if you change the bit of code towards the end the error messages are a bit more helpful

    my $err = Win32::OLE->LastError(); if $err == 0) { print STDOUT "Success!\n"; $objObjSec->close; } else { print STDOUT $err; print STDOUT "Failure!\n"; }
Re: Problems with Win32::OLE and ADSI
by dws (Chancellor) on Sep 09, 2002 at 03:33 UTC
    From memory (and from a system I don't have access to), there's a permissions issue related to the user that IIS is set up to run as, and what permissions that user has to access certain resources. This prevented me from doing certain COM stuff until I'd changed the user (via the Services control panel?) that IIS ran under, and gave that user certain additional permissions. Specifics beyond that are hazy. Hope that helps.

      It seems as though he is trying to get arount that by specifying alternative credentials with the OpenDSObject() call.

      Unfortunately I cannot test this where I am at the moment but...

      You could try NTLM integrated authentication if the client machine and server are in the same domain and log onto the client computer as a Domain Admin. That could make it work.

      Another thing to try is switch to Basic Authenication. It the user logs in with a username and password that is an domain admin does the code work?

Re: Problems with Win32::OLE and ADSI
by blm (Hermit) on Sep 09, 2002 at 03:21 UTC
    From the chatterbox the decimal number that you gave me for HRESULT is 0x8007202aL LDAP_AUTH_UNKNOWN ERROR_DS_AUTH_UNKNOWN according to MSDN

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://196143]
Approved by FoxtrotUniform
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (7)
As of 2024-03-28 12:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found