20041014 mixing metaphors ldap and adsi at work - plembo/onemoretech GitHub Wiki
title: Mixing Metaphors: LDAP and ADSI at work link: https://onemoretech.wordpress.com/2004/10/14/mixing-metaphors-ldap-and-adsi-at-work/ author: lembobro description: post_id: 759 created: 2004/10/14 03:06:00 created_gmt: 2004/10/14 03:06:00 comment_status: open post_name: mixing-metaphors-ldap-and-adsi-at-work status: publish post_type: post
Mixing Metaphors: LDAP and ADSI at work
I just finished writing a cgi to provide a barebones web based password reset facility for Active Directory as a backup to my groups “approved” COTS solution. Working with ADSI through Perl’s’ Win32::OLE module was a challenge. For now the code I’ll be posting here will provide a standby capability for production. If I have time later on I’d like to eliminate the Win32::OLE pieces altogether and do everything with Net::LDAP. That won’t be possible until SSL is enabled in our Active Directory environment, something that probably won’t be entertained by the Windows engineering team until next year.
So, without further ado, here is the code:
`
#!perl -w
# adpassreset.cgi Reset Active Directory passwords
# 10/1/04 by P Lembo
# Give choice of unlocking, forcing or both (default)
use strict;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use URI::URL;
use Net::LDAP;
use Net::LDAP::Entry;
use Win32::OLE;
$Win32::OLE::Warn = 3;
#
my $q = CGI->new;
#
require "../etc/ldapapp.conf";
our ($adsTestHost,$adsQualHost,$adsProdHost,$adsTestPath,
$adsQualPath,$adsProdPath,$adsUsr,$adsPass);
my @adshosts = ("$adsTestHost","$adsQualHost","$adsProdHost");
my @adsbases = ("$adsTestPath","$adsQualPath","$adsProdPath");
my $newpass = 'yellow';
my $webhost = "localhost";
my $webport = "80";
#
if ($q->param('Review')) {
give_status($q);
}
elsif ($q->param('Reset Account')) {
reset_user($q);
}
else {
show_main($q);
}
#
sub show_main {
print $q->header;
print $q->start_html(-title=>'Active Directory Account Reset',
-style=>{'src'=>'/styles/ldapadmin.css'}
);
print $q->h1("Active Directory Account Reset");
my $action = $q->url;
print $q->start_form(-method=>'POST',
-action=>$action,
);
print $q->h4("Select Server");
print $q->popup_menu(-name=>'adshost', -values=>@adshosts );
#
print $q->h4(”Choose Domain”);
print $q->popup_menu(-name=>’adsbase’,
-values=>@adsbases );
#
print $q->h4(”Enter User ID”);
print $q->textfield(-name=>’userid’,-size=>5);
#
print $q->p();
#
print $q->submit(’Review’);
print $q->reset(”Cancel”);
#
print $q->end_form;
#
print $q->p();
#
print $q->a( { -href => “/acctadmin/index.html” },
“Back To Active Directory Tools”);
print $q->end_html();
} # main
#
#
sub give_status {
print $q->header(-charset=>’UTF-8′);
print $q->start_html(-title=>’Active Directory Account Reset’,
-style=>{’src’=>’/styles/ldapadmin.css’}
);
#
print $q->h1(”Active Directory Account Reset”);
print $q->h3(”Confirm User Information”);
my $action = $q->url;
#
print $q->start_form(-method=>’POST’,
-action=>$action,
);
#
my $adshost = $q->param(’adshost’);
my $adsbase = $q->param(’adsbase’);
my $userid = $q->param(’userid’);
#
print $q->hidden(-name=>”adshost”,value=>”$adshost”);
print $q->hidden(-name=>”adsbase”,value=>”$adsbase”);
print $q->hidden(-name=>”userid”,value=>”$userid”);
#
print $q->p(”Working on $adshost”);
print $q->p(”$adsbase”);
#
$adsUsr = “$adsUsr,$adsbase”;
my $basedn = $adsbase;
my @attrs = qw(displayname cn userprincipalname samaccountname);
my $filter = “(|(samaccountname=$userid)(cn=$userid))”;
#
my $ldap = Net::LDAP->new($adshost, version =>’3′);
my $mesg = $ldap->bind($adsUsr, password => $adsPass);
$mesg = $ldap->search(base => $basedn,
scope => ’sub’,
filter => $filter,
attrs => @attrs
);
#
if ( $mesg->count h4(”No results returned!”);
} # if
elsif ( $mesg->count >1 ) {
print $q->p(”Please choose from one of the entries listed and retry”);
#
while (my $entry = $mesg->shift_entry()) {
my $userdn = $entry->dn;
my $cn = $entry->get_value(’cn’);
my $displayname = $entry->get_value(’displayname’);
print $q->p(”**$userdn**“);
print $q->p(”UserID: $userid”,$q->br, “Full Name: $displayname”);
}
}
else {
my $entry = $mesg->shift_entry();
my $userdn = $entry->dn;
print $q->hidden(-name=>”userdn”,value=>”$userdn”);
my $cn = $entry->get_value(’cn’);
print $q->hidden(-name=>”cn”,value=>”$cn”);
my $displayname = $entry->get_value(’displayname’);
print $q->hidden(-name=>”displayname”,value=>”$displayname”);
my $userprincipalname = $entry->get_value(’userprincipalname’);
print $q->hidden(-name=>”userprincipalname”,value=>”$userprincipalname”);
print $q->p(”**$userdn**“);
print $q->p(”UserID: $userid”,$q->br, “Full Name: $displayname”);
#
# Bind using ADSI to check flags
my $ldapObj = Win32::OLE->GetObject(’LDAP:’);
my $usrObj = $ldapObj->OpenDSObject(”LDAP://$adshost/$userdn”,
“$adsUsr”, “$adsPass”, 1);
#
if ($usrObj->AccountDisabled == 1) {
print $q->p(”**Account is disabled**, contact System Administrator”);
}
#
if ($usrObj->{IsAccountLocked} == 1) {
print $q->p(”Account is locked, reset will unlock”);
}
else {
print $q->p(”Account not locked”);
}
print $q->p();
print $q->submit(’Reset Account’);
print $q->reset(”Cancel”);
}
$ldap->unbind;
print $q->end_form;
print $q->p();
print $q->a( { -href => ‘/acctadmin/adacctreset.cgi’ }, ‘Try Again’);
print $q->p();
print $q->a( { -href => “/acctadmin/index.html” }, “Back To Help Desk Tools”);
print $q->end_html;
#
} # status
#
sub reset_user {
print $q->header(-charset=>’UTF-8′);
print $q->start_html(-title=>’Active Directory Account Reset’,
-style=>{’src’=>’/styles/ldapadmin.css’}
);
#
print $q->h1(”Active Directory Account Reset”);
print $q->h3(”Confirming Changes”);
#
my $adshost = $q->param(’adshost’);
my $adsbase = $q->param(’adsbase’);
my $userdn = $q->param(’userdn’);
my $cn = $q->param(’cn’);
my $displayname = $q->param(’displayname’);
my $userprincipalname = $q->param(’userprincipalname’);
#
print $q->p(”Working on $adshost”);
print “**$userdn**
n”;
print “$displayname
n”;
$adsUsr = “$adsUsr,$adsbase”;
#
# Bind using ADSI to reset password
my $ldapObj = Win32::OLE->GetObject(’LDAP:’);
my $usrObj = $ldapObj->OpenDSObject(”LDAP://$adshost/$userdn”,”$adsUsr”, “$adsPass”, 1);
# Check for disabled account
if ($usrObj->AccountDisabled == 1) {
Copyright 2004-2019 Phil Lembo