Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Authenticate Active Directory

by SteveS832001 (Sexton)
on Jul 19, 2006 at 15:37 UTC ( [id://562322]=perlquestion: print w/replies, xml ) Need Help??

SteveS832001 has asked for the wisdom of the Perl Monks concerning the following question:

I wrote a cgi script that allows people to unlock users from our active directory. (less work for me) Then it creates a log of who they unlocked, The person Unlocking, and the date and time.
My question is, I want to limit access to this page with a logon screen. I would like to authenticate the username and password with active directory to give them access to the page. I have search and found nothing. The reason i want to do this because "Users" don't like to remember another password so this is my resolution. If you could show me some code that would do what I am asking that would be great. Or atlease point me in the right direction
Also, the username and password need to be encrypted went sending the info to the Active directory. (duh)
Thank you Very Much.

Replies are listed 'Best First'.
Re: Authenticate Active Directory
by g0n (Priest) on Jul 19, 2006 at 16:17 UTC
    The simplest way is to gather the username and password, connect to your AD with Net::LDAP, and bind using the username and password. Check the result of the bind, if it was successful (!$result->code) the username and password are correct. Identifying whether that user is someone who should have permission to unlock someones account is another matter - you may want to create a group, and do a search for membership.

    For encrypted authentication, you need to connect to the AD with Net::LDAPS.

    The perl-ldap mailing list would be a good place to get help if you get stuck - in fact reading back through the list archives will get you a long way towards your objective.

    --------------------------------------------------------------

    "If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing."
    John Brunner, "The Shockwave Rider".

    Can you spare 2 minutes to help with my research? If so, please click here

[reply]
[d/l]
Re: Authenticate Active Directory
by Tanktalus (Canon) on Jul 19, 2006 at 15:55 UTC

    Being someone who makes avoiding Windows a point of pride, I could be off here, but isn't Active Directory just a fancy way of saying "LDAP"? A quick google of active directory authentication turns up a number of articles that talk about Linux authenticating against MSAD, and they all talk about LDAP. So you may want to look at them to see how to apply this knowledge with Net::LDAP.

[reply]
Re: Authenticate Active Directory
by strat (Canon) on Jul 20, 2006 at 08:42 UTC

    What is your webserver and OS? Maybe you could use the webserver's authentication to log on, then create an ActiveDirectory group of users who are allowed to log on.

    If not, I'd recommend ADSI over LDAP (only works with Windows servers). If the AD consists of only one domain, LDAP will work fine; but if there are several domains, with LDAP you'll need to know to use one server for each domain. But with ADSI, you can first search the Global Catalog for the samAccountName or userPrincipalName, and then use the user's ADsPath to bind to the AD and authenticate the user.

    If you have to use Net::LDAP, it is safer to use Version2 for writing and searching because AD normally doesn't use utf8 but iso-latin-1 as encoding; and if you want to search or write non-ascii-chars like umlauts, you will get problems with Ldap-Version3)

    Update: with ADSI and some AD configurations, there exists a security feature/problem that the explicit logon to the AD doesn't work and is silently converted to the user which runs the script on the webserver. I don't know the name of this option, but usually find it out by trying to log on as a different user and then manually check the event-security log of the AD-Domaincontroller once to see if I can do such a log on. But there must be a better solution to find out which user is currently logged on on the AD via ADSI

    Best regards,
    perl -e "s>>*F>e=>y)\*martinF)stronat)=>print,print v8.8.8.32.11.32"

[reply]
Re: Authenticate Active Directory
by Marza (Vicar) on Jul 20, 2006 at 00:59 UTC

    Well you could do that in Perl as the others suggested but why not make use of the Delegation of Authority Wizard and grant the people the ability?

    This way the people that have the right will be controlled by AD and the people that don't will get an error form the system.

    This also eliminates having to maintain an access list for people that have the right.

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://562322]
Approved by Tanktalus
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (4)
As of 2024-04-25 20:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found