Page 1 of 1

COM + USERS

Posted: Thu Oct 30, 2003 6:45 pm
by NoReason
has anyone tried to use the COM support to manage users on active directory servers?

It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.

COM("http://domain/Username,user")

Re: COM + USERS

Posted: Thu Oct 30, 2003 11:14 pm
by BDKR
NoReason wrote:has anyone tried to use the COM support to manage users on active directory servers?

It should be possible, however, I am having issues with authentication when trying to instatiate a new user object via.

COM("http://domain/Username,user")
I think phpbuilder.com had an article on this. You may want to take a look over there some time.

Cheers,
BDKR

Posted: Fri Oct 31, 2003 1:19 pm
by NoReason
Yes, there is an article on COM, but only dealing with word and exel object located on your local system.
As of yet there is nothing about accessing a domain user object....
DCOM is avaiable, but im sure i would have the same issue.. credentials

Posted: Fri Oct 31, 2003 1:35 pm
by volka
do you have an working example of this in any other language?

Posted: Fri Oct 31, 2003 1:40 pm
by NoReason
In VB yes.
But the catch is, the scripts are being trasfered via SSH to the remote server to be executed.

I was hoping to avoid the SSH piece and do direct user account manipulation via COM().

Posted: Fri Oct 31, 2003 1:41 pm
by volka
please post the vb code (the important parts ;) )
transfered via ssh? you mean scp-ing the code and execute it there?

Posted: Fri Oct 31, 2003 1:59 pm
by NoReason
yes ..
Using openSSH for windows to do the transerfers.

Here is some of the code .. Its php that creates a vb file which is then scp'd to the remote AD server, then ssh executed.

Code: Select all

<?
mssql_connect($_mssql&#1111;"Hostname"], $_mssql&#1111;"Username"], $_mssql&#1111;"Password"]) or die("Connection Failed To Respond.");
	mssql_select_db($_mssql&#1111;"Database"]) or die("DataBase Not Found");
	
$FP = fopen('C:\Admin Scripts\ActiveDirectory\ScriptToRun\ActiveDirectoryMerge.vbs','w');

fputs($FP,'
set RootDSE = GetObject("LDAP://RootDSE")
set Container = GetObject("LDAP://ou=Imports, ou=Users, ou=Floor, " & RootDSE.Get("defaultNamingContext"))
on Error Resume Next
err.Clear
');

$query_string = "Select * from Query";
$results = mssql_query($query_string);

while( $row = mssql_fetch_assoc($results) )
&#123;
  $UserID	= $row&#1111;'UserID'];
  $Password = $row&#1111;'Password'];
  $Username = $row&#1111;'Username'];
  $PersonNumber = $row&#1111;'PersonNumber'];
  $FirstName = $row&#1111;'FirstName'];
  $LastName = $row&#1111;'LastName'];
  $DomainName = $row&#1111;'DomainName'];
  $Fileserver = $row&#1111;'HostName'];
  $AccountInactive = $row&#1111;'AccountInactive'];
  $FullName = $FirstName." ".$LastName;
  $UserPrincipal = $Username."@cdis.org";
  $UserObject = "WinNT://".$DomainName."/".$Username.",user";
  $HomeDirectory = "\&quote;.$Fileserver.".".$DomainName."&quote;.$Username;
$ProfilePath= "\&quote;.$Fileserver.".".$DomainName."\profiles&quote;.$Username;

	fputs($FP,'	
	set NewUser = Container.Create("User","cn='.$Username.'")
	NewUser.Put "sAMAccountName","'.$Username.'"
	');
	fputs($FP,'
	NewUser.Put "homeDirectory","'.$HomeDirectory.'"
	NewUser.Put "homeDrive","H:"
	NewUser.Put "profilePath","'.$ProfilePath.'"
	NewUser.Put "mail","'.$StudentMail.'"
	');

	fputs($FP,'	
	NewUser.Put "name","'.$FullName.'"
	NewUser.Put "displayName","'.$FullName.'"
	NewUser.Put "givenName","'.$FirstName.'"
	NewUser.Put "sn","'.$LastName.'"
	NewUser.Put "userPrincipalName","'.$UserPrincipal.'"	
	NewUser.SetInfo
	Set User = GetObject("'.$UserObject.'")
	Call User.SetPassword("'.$Password.'")
	');
	
                              if( $AccountInactive == 1 )
		&#123;
			fputs($FP,'
			User.AccountDisabled = True
			');
		&#125;
		else
		&#123;
			fputs($FP,'
			User.AccountDisabled = False
			');
		&#125;
			fputs($FP,'
			User.SetInfo
			WScript.Sleep 500
			');
	&#125;

//Modified Accounts
	$query_string	= "Select * from Query";
	$results		= mssql_query($query_string);

	while( $row = mssql_fetch_assoc($results) )
	&#123;
		$Password		= $row&#1111;'Password'];
		$Username		= $row&#1111;'Username'];
		$DomainName		= $row&#1111;'DomainName'];
		$AccountInactive= $row&#1111;'AccountInactive'];

		$UserObject		= "WinNT://".$DomainName."/".$Username.",user";
		
		fputs($FP,'
		Set User = GetObject("'.$UserObject.'")
		Call User.SetPassword("'.$Password.'")
		');
		
		if( $AccountInactive == 1 )
		&#123;
			fputs($FP,'
			User.AccountDisabled = True
			User.SetInfo
			WScript.Sleep 500
			');
		&#125;
		else
		&#123;
			fputs($FP,'
			User.AccountDisabled = False
			User.SetInfo
			WScript.Sleep 500
			');
		&#125;
	&#125;

fclose($FP);

Posted: Fri Oct 31, 2003 2:29 pm
by volka
can't you access the remote server directly with php's ldap functions skipping this com-thing?

Posted: Fri Oct 31, 2003 3:30 pm
by NoReason
Yes... and that is what I am doing... however..
I need to use ADSI in order to access the user passwords.

Com can use ADSI , I just need to figure out how to use it to connect to a remote server with the proper credentials that will allow me to bind to a user object, or create a new one.

Posted: Fri Oct 31, 2003 4:15 pm
by volka
I meant accessing the ldap server directly, without adsi ;)

On the other hand, if you insist using adsi:
Platform SDK: Directory Services wrote:If Kerberos authentication is required for the successful completion of a specific directory request, the binding string must use either a serverless ADsPath, such as "LDAP://CN=John Doe, CN=admin, DC=Fabrikam, DC=com", or it must use an ADsPath with a fully-qualified DNS server name, such as "LDAP://central3.corp.Fabrikam.com/CN=John Doe, CN=admin, DC=Fabrikam, DC=com". Binding to the server using a flat NETBIOS name or a short DNS name (e.g. using the short name "central3" instead of "central3.corp.Fabrikam.com") may or may not yield Kerberos authentication.
"or it must use an ADsPath with a fully-qualified DNS server name..." that's probably the part you're interested in.

Posted: Sat Nov 01, 2003 2:53 pm
by NoReason
One catch with connecting via ldap, ldap can NOT modify or create new passwords. Adsi is com object that has the proper methods to do that.

Posted: Sat Nov 01, 2003 3:36 pm
by volka
with a ldap/128-bit-ssl connection you can modify the ad-stored password.

Nevertheless, did you try the full qualified name with the credentials in your visual basic application (without transfering it to the remote server)?
With the odbc-bridge you can easily access the mysql-database from vb.

Afaik(!) there is nothing like GetObject (getting a reference of a running instance) in php, the new COM() construct always calls CreateInstance (almost the same as CreateObject in VB)

Posted: Mon Nov 03, 2003 4:26 pm
by NoReason
Hurm , alrighty then ... Do you have a list of instructions on how to create this secure 128 connection ?

Any help would be greatly appreciated :)

Oh .. and is the GetObject an undocumented function ?
And yes I have tried FQN with proper credentials.