COM + USERS

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

COM + USERS

Post by NoReason »

has anyone tried to use the COM support to manage users on active directory servers?

It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.

COM("http://domain/Username,user")
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Re: COM + USERS

Post by BDKR »

NoReason wrote:has anyone tried to use the COM support to manage users on active directory servers?

It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.

COM("http://domain/Username,user")
I think phpbuilder.com had an article on this. You may want to take a look over there some time.

Cheers,
BDKR
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

Yes, there is an article on COM, but only dealing with word and exel object located on your local system.
As of yet there is nothing about accessing a domain user object....
DCOM is avaiable, but im sure i would have the same issue.. credentials
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

do you have an working example of this in any other language?
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

In VB yes.
But the catch is, the scripts are being trasfered via SSH to the remote server to be executed.

I was hoping to avoid the SSH piece and do direct user account manipulation via COM().
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

please post the vb code (the important parts ;) )
transfered via ssh? you mean scp-ing the code and execute it there?
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

yes ..
Using openSSH for windows to do the transerfers.

Here is some of the code .. Its php that creates a vb file which is then scp'd to the remote AD server, then ssh executed.

Code: Select all

<?
mssql_connect($_mssql&#1111;"Hostname"], $_mssql&#1111;"Username"], $_mssql&#1111;"Password"]) or die("Connection Failed To Respond.");
	mssql_select_db($_mssql&#1111;"Database"]) or die("DataBase Not Found");
	
$FP = fopen('C:\Admin Scripts\ActiveDirectory\ScriptToRun\ActiveDirectoryMerge.vbs','w');

fputs($FP,'
set RootDSE = GetObject("LDAP://RootDSE")
set Container = GetObject("LDAP://ou=Imports, ou=Users, ou=Floor, " & RootDSE.Get("defaultNamingContext"))
on Error Resume Next
err.Clear
');

$query_string = "Select * from Query";
$results = mssql_query($query_string);

while( $row = mssql_fetch_assoc($results) )
&#123;
  $UserID	= $row&#1111;'UserID'];
  $Password = $row&#1111;'Password'];
  $Username = $row&#1111;'Username'];
  $PersonNumber = $row&#1111;'PersonNumber'];
  $FirstName = $row&#1111;'FirstName'];
  $LastName = $row&#1111;'LastName'];
  $DomainName = $row&#1111;'DomainName'];
  $Fileserver = $row&#1111;'HostName'];
  $AccountInactive = $row&#1111;'AccountInactive'];
  $FullName = $FirstName." ".$LastName;
  $UserPrincipal = $Username."@cdis.org";
  $UserObject = "WinNT://".$DomainName."/".$Username.",user";
  $HomeDirectory = "\&quote;.$Fileserver.".".$DomainName."&quote;.$Username;
$ProfilePath= "\&quote;.$Fileserver.".".$DomainName."\profiles&quote;.$Username;

	fputs($FP,'	
	set NewUser = Container.Create("User","cn='.$Username.'")
	NewUser.Put "sAMAccountName","'.$Username.'"
	');
	fputs($FP,'
	NewUser.Put "homeDirectory","'.$HomeDirectory.'"
	NewUser.Put "homeDrive","H:"
	NewUser.Put "profilePath","'.$ProfilePath.'"
	NewUser.Put "mail","'.$StudentMail.'"
	');

	fputs($FP,'	
	NewUser.Put "name","'.$FullName.'"
	NewUser.Put "displayName","'.$FullName.'"
	NewUser.Put "givenName","'.$FirstName.'"
	NewUser.Put "sn","'.$LastName.'"
	NewUser.Put "userPrincipalName","'.$UserPrincipal.'"	
	NewUser.SetInfo
	Set User = GetObject("'.$UserObject.'")
	Call User.SetPassword("'.$Password.'")
	');
	
                              if( $AccountInactive == 1 )
		&#123;
			fputs($FP,'
			User.AccountDisabled = True
			');
		&#125;
		else
		&#123;
			fputs($FP,'
			User.AccountDisabled = False
			');
		&#125;
			fputs($FP,'
			User.SetInfo
			WScript.Sleep 500
			');
	&#125;

//Modified Accounts
	$query_string	= "Select * from Query";
	$results		= mssql_query($query_string);

	while( $row = mssql_fetch_assoc($results) )
	&#123;
		$Password		= $row&#1111;'Password'];
		$Username		= $row&#1111;'Username'];
		$DomainName		= $row&#1111;'DomainName'];
		$AccountInactive= $row&#1111;'AccountInactive'];

		$UserObject		= "WinNT://".$DomainName."/".$Username.",user";
		
		fputs($FP,'
		Set User = GetObject("'.$UserObject.'")
		Call User.SetPassword("'.$Password.'")
		');
		
		if( $AccountInactive == 1 )
		&#123;
			fputs($FP,'
			User.AccountDisabled = True
			User.SetInfo
			WScript.Sleep 500
			');
		&#125;
		else
		&#123;
			fputs($FP,'
			User.AccountDisabled = False
			User.SetInfo
			WScript.Sleep 500
			');
		&#125;
	&#125;

fclose($FP);
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

can't you access the remote server directly with php's ldap functions skipping this com-thing?
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

Yes... and that is what I am doing... however..
I need to use ADSI in order to access the user passwords.

Com can use ADSI , I just need to figure out how to use it to connect to a remote server with the proper credentials that will allow me to bind to a user object, or create a new one.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I meant accessing the ldap server directly, without adsi ;)

On the other hand, if you insist using adsi:
Platform SDK: Directory Services wrote:If Kerberos authentication is required for the successful completion of a specific directory request, the binding string must use either a serverless ADsPath, such as "LDAP://CN=John Doe, CN=admin, DC=Fabrikam, DC=com", or it must use an ADsPath with a fully-qualified DNS server name, such as "LDAP://central3.corp.Fabrikam.com/CN=John Doe, CN=admin, DC=Fabrikam, DC=com". Binding to the server using a flat NETBIOS name or a short DNS name (e.g. using the short name "central3" instead of "central3.corp.Fabrikam.com") may or may not yield Kerberos authentication.
"or it must use an ADsPath with a fully-qualified DNS server name..." that's probably the part you're interested in.
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

One catch with connecting via ldap, ldap can NOT modify or create new passwords. Adsi is com object that has the proper methods to do that.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

with a ldap/128-bit-ssl connection you can modify the ad-stored password.

Nevertheless, did you try the full qualified name with the credentials in your visual basic application (without transfering it to the remote server)?
With the odbc-bridge you can easily access the mysql-database from vb.

Afaik(!) there is nothing like GetObject (getting a reference of a running instance) in php, the new COM() construct always calls CreateInstance (almost the same as CreateObject in VB)
NoReason
Forum Commoner
Posts: 51
Joined: Tue Sep 10, 2002 6:19 pm

Post by NoReason »

Hurm , alrighty then ... Do you have a list of instructions on how to create this secure 128 connection ?

Any help would be greatly appreciated :)

Oh .. and is the GetObject an undocumented function ?
And yes I have tried FQN with proper credentials.
Post Reply