How to check for group membership in windows?

Apologies if this is too off-topic, but I can’t think of where else to
start looking. I need to test for group membership on windows in a ruby
program. I’ve got some authentication code working just fine:

require ‘dl/win32’

LOGON32_LOGON_NETWORK = 3
LOGON32_PROVIDER_DEFAULT = 0
BOOL_SUCCESS = 1
AdvApi32 = DL.dlopen(‘advapi32’)
Kernel32 = DL.dlopen(‘kernel32’)

def authenticate_user_from_windows(username, password, domain)

Load the DLL functions

logon_user = AdvApi32[‘LogonUser’, ‘ISSSIIp’]
close_handle = Kernel32[‘CloseHandle’, ‘IL’]

Normalize username and domain

username = username.strip.downcase
domain = domain.strip.downcase

Authenticate user

ptoken = “\0” * 4
r,rs = logon_user.call(username, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ptoken)
success = (r == BOOL_SUCCESS)

Close impersonation token

token = ptoken.unpack(‘L’)[0]
close_handle.call(token)
return success
end

and now I need some authorization help. I’ve been browsing msdn for
hours to no avail; can anyone point me in the right direction? Merci.

Also, in the code above, should close_handle.call(token) be invoked in
an ensure block if logon_user.call failed for some reason, or would that
imply the ptoken object doesn’t need to be cleaned up?

  • donald

where else to

start looking. I need to test for group membership on windows in a
ruby program. I’ve got some authentication code working just fine:

If you need to be querying group memberships out of AD, then
look at the Net::LDAP library on rubyforge.

Is Net::LDAP preferred over Ruby/LDAP? There are some AD-specific
authentication projects on RubyForge, but they all seem to be using
Ruby/LDAP. Far be it from me to be able to discern the better library.
:slight_smile:

  • donald

On 3/5/07, Ball, Donald A Jr (Library) [email protected]
wrote:

Apologies if this is too off-topic, but I can’t think of where else to
start looking. I need to test for group membership on windows in a ruby
program. I’ve got some authentication code working just fine:

If you need to be querying group memberships out of AD, then look at the
Net::LDAP library on rubyforge.

Ball, Donald A Jr (Library) wrote:

Apologies if this is too off-topic, but I can’t think of where else to
start looking. I need to test for group membership on windows in a ruby
program. I’ve got some authentication code working just fine:

In my experience, the logon call and the underlying LDAP request
to return the tokenGroups attribute is hugely expensive. If causes
the DC to do calls to other DCs including the GC server. We do
this where absolutely necessary, but it definitely isn’t wise
to do it whenever you have an authorization request to evaluate.

You should instead attempt to enumerate the group member SIDs of
the current process token, or use one of the APIs that does this.

I’m a bit limited unfortunately in how much more help I can give,
as I’ve been out of this space for a year or two now.

Clifford H…

On 3/12/07, Ball, Donald A Jr (Library) [email protected]
wrote:

Is Net::LDAP preferred over Ruby/LDAP? There are some AD-specific
authentication projects on RubyForge, but they all seem to be using
Ruby/LDAP. Far be it from me to be able to discern the better library.
:slight_smile:

Not my call to make, since I’m the author of Net::LDAP :-).
Try it and see if it helps you. At least you can easily query memberOf
attributes for specific users.