LDAPv3 Authenticating to Active Directory (Part IV)

In my last section a new attribute was created, added to the schema and then associated with the user class thereby extended the user class with a new property. This property can then be modified using ADSI Edit. For a test rig this is doable but ADSI Edit doesn't scale when it comes to mananging multiple properties (like we'll be using when setting up home directories) nor is it something Administrators will want to deal with when setting up multiple accounts. As it turns out, there is a better way and its one that will enable you to make your own custom account creation pages. What I'm presenting here is a starting point from which you can build your custom user page. If I ever get around to writing these pages for my own group I may publish them here as part of a new section since I may have found a better way than what I'm about to present here.

Say what you will about Microsoft but one of the nice things they give is integration of their products (whether they work is another issue). So, its rather interesting to find that in addition to ADSI Edit there are programming interfaces which can also extend the schema and modify attributes of it. Visual Basic is one such programming language that can take advantage of the interface. It so happens that ASP (Active Server Page, Microsoft's answer to PHP, Perl, and any other server side language) is actually a subset of Visual Basic for web based applications. Guess what? You can write an ASP that will you to use your web browser (I've only tested this on IE for Mac and PC but others may also work) to edit Active Directory entries securely. There is some preparation we must do first.

I'm assuming IIS is up and running. I believe its a standard install option with any setup of a Windows 2000 server.

1. Open the Internet Information Services administration tool (Programs -> Administration Tools).
2. Open the server object then the Default Web Site object (this is just for testing, you should probably using something other than the Default Web Site for production).
3. Create a new virtual directory by right clicking on the computer/server object and select New -> Virtual Directory. This will launch the VD Wizard (sounds contagious doesn't it?).
4. Enter an alias (I used 'schema') and a directory path to were the web pages will be stored (I used a local folder on the drive I had created - C:\data\schema)
5. Get properties on this VD, click the Directory Security tab, and click the Edit button for "Anonymous access and authentication control". Uncheck everything (like anonymous access) except for the last option "Integrated Windows authentication" which is fancy speak for your domain login.You may also need to set Execute Permissions to at least allow "Scripts Only" on the Virtual Directory tab.
   
   
   
6. In Computer Management find the Web Server's computer object and get properties. This will be in the Computers container unless you're running this on a Domain Controller in which case the computer object will be under the Domain Controllers container.
7. Make sure "Trust computer for delegation" is checked off. If the machine you're running this on is a DC then this should already be checked off.

I'm not going to go into too much detail on how this ASP works. I'll point out a few things to get it setup but I'm not here to teach anyone visual basic programming. In short, open the directory where your 'schema' VD is targeted and create a text document. Open that text document and paste this into it:

<%

'This script lets you set any user attribute stored in _
'an LDAP directory through a Web-based form by entering _
'a user's CN, the attribute's name, and the attribute's value.

strUserCN = request.form("cn")
strUserProp = request.form("property")
strPropNewValue = request.form("newvalue")

response.write "CN= " & strUserCN

if strUserCN="" then
response.write "<html><head><title>Update Form</title></head><body>"
response.write "<center><h1>Web Update Form</h1></center>"
response.write "<hr><br><br><form method=post action=putscript.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>Property Name: </td><td><input type=text name=property value='wwwHomePage'></td></tr>"
response.write "<tr><td>New Value: </td><td><input type=text name=newvalue></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Change Value'></td></tr>"
response.write "</table></body></html>"
response.end
else

'BEGIN CALLOUT A
set obj = GetObject("LDAP://CN=" & strUserCN & ",CN=Users,DC=absynthespad,DC=com")
obj.Put strUserProp, strPropNewValue
'END CALLOUT A

'BEGIN CALLOUT B
obj.SetInfo
'END CALLOUT B

response.write "<html><head><title>Results</title></head><center><h1>Update Results</h1></center><hr><br><br>"
response.write strUserProp & "for user: " & strUserCN & " was successfully updated with the new value: " & strPropNewValue
response.end
end if
%>

Save the file and rename to putscript.asp. Reopen the file and edit the line that looks like this:

set obj = GetObject("LDAP://CN=" & strUserCN & ",CN=Users,DC=absynthespad,DC=com")

What you need to change is the part where it goes into CN=Users,DC=absynthespad,DC=com. You'll need to modify this for your setup by redoing DC=absynthespad,DC=com to match whatever domain setup you have, possibly adding additional DCs or even OUs to make it work.

Putscript.asp is an active server page I found at this great website called WindowsWebSolutions. For some odd reason all their code snippets seem to lack certain pieces needed to make them work. Don't worry, my code snippet is complete. So let's break this ASP down a bit.

strUserCN = request.form("cn")
strUserProp = request.form("property")
strPropNewValue = request.form("newvalue")

response.write "CN= " & strUserCN

if strUserCN="" then
response.write "<html><head><title>Update Form</title></head><body>"
response.write "<center><h1>Web Update Form</h1></center>"
response.write "<hr><br><br><form method=post action=putscript.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>Property Name: </td><td><input type=text name=property value='wwwHomePage'></td></tr>"
response.write "<tr><td>New Value: </td><td><input type=text name=newvalue></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Change Value'></td></tr>"
response.write "</table></body></html>"
response.end
else

This part simply sets up a few variables and then writes out web page to display the input form. The key part to notice here is the check on strUserCN. The way this ASP works is that the first time its run strUserCN is blank so you get the webform. After you fill it out and click the "Change Value" button putscript.asp is executed again but with the form field values tacked onto the URL. Now when strUserCN is checked its no longer "" and thus the second half of this ASP executes.

'BEGIN CALLOUT A
set obj = GetObject("LDAP://CN=" & strUserCN & ",CN=Users,DC=absynthespad,DC=com")
obj.Put strUserProp, strPropNewValue
'END CALLOUT A

'BEGIN CALLOUT B
obj.SetInfo
'END CALLOUT B

response.write "<html><head><title>Results</title></head><center><h1>Update Results</h1></center><hr><br><br>"
response.write strUserProp & "for user: " & strUserCN & " was successfully updated with the new value: " & strPropNewValue
response.end
end if

I don't know the whole story behind this part but it appears an object is created using the GetObject command. Next, the property and value you entered into the form are setup using the obj.Put command. Finally, the data is sent back to LDAP for updates using the obj.SetInfo command. the rest of code just displays a web page confirming the update.

This code is not the best as it clearly does NO error checking of the LDAP object created nor does it handle non-existent LDAP properties very well. If you are running IE on a PC with debugging enabled, you'll find yourself dropped into the script debugger if you enter a non-existent property field. One other problem, some ActiveDirectory properties have additional rules concerning what types of values they can accept. If you try to set a field that only accepts numbers a value of 'Five' you also drop into the debugger. Lastly, this script will not create the user account, it can only modify attributes of a pre-existing one.

Let's say everything is up and running. How do you use the page you just made? Well, open up your web browser and direct it to the page you just created on your IIS server. Since my test rig is Lilith in the domain AbsynthesPad.com, and my VD has an alias of 'schema' my url (this is my url, not yours) was:

http://lilith.absynthespad.com/schema/putscript.asp

With the script running all I needed was an ActiveDirectory account, a property to change, and a value to set it to. Simple. Now, this isn't how you would administrate a sever but with some expansions and proper error checking this form can easily be used to create user accounts for PC and Mac users. Repeated values could be automatically filled in and some fields could be locked into popup menus thereby minizming the possiblity of mispelling a department name. Hopefully, I'll get an ASP posted later that has enough features that you can use it to administor your OS X (or even PC) users in ActiveDirectory. Anyone wanting to venture off on their own should definitely check out the WindowsWebSoltuions site which has additional ASP code snippets for reading values out of AD.

Making Home Directories Work -->

Email: Chuck Simciak