how to check for group membership in windows?

Discussion in 'Ruby' started by Ball, Donald A Jr (Library), Mar 5, 2007.

  1. Apologies if this is too off-topic, but I can't think of where else to
    start looking. I need to test for group membership on windows in a ruby
    program. I've got some authentication code working just fine:

    require 'dl/win32'

    LOGON32_LOGON_NETWORK =3D 3
    LOGON32_PROVIDER_DEFAULT =3D 0
    BOOL_SUCCESS =3D 1
    AdvApi32 =3D DL.dlopen('advapi32')
    Kernel32 =3D DL.dlopen('kernel32')

    def authenticate_user_from_windows(username, password, domain)
    # Load the DLL functions
    logon_user =3D AdvApi32['LogonUser', 'ISSSIIp']
    close_handle =3D Kernel32['CloseHandle', 'IL']
    # Normalize username and domain
    username =3D username.strip.downcase
    domain =3D domain.strip.downcase
    # Authenticate user
    ptoken =3D "\0" * 4
    r,rs =3D logon_user.call(username, domain, password,
    LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ptoken)
    success =3D (r =3D=3D BOOL_SUCCESS)
    # Close impersonation token
    token =3D ptoken.unpack('L')[0]
    close_handle.call(token)
    return success
    end

    and now I need some authorization help. I've been browsing msdn for
    hours to no avail; can anyone point me in the right direction? Merci.

    Also, in the code above, should close_handle.call(token) be invoked in
    an ensure block if logon_user.call failed for some reason, or would that
    imply the ptoken object doesn't need to be cleaned up?

    - donald
    Ball, Donald A Jr (Library), Mar 5, 2007
    #1
    1. Advertising

  2. Ball, Donald A Jr (Library) wrote:
    > Apologies if this is too off-topic, but I can't think of where else to
    > start looking. I need to test for group membership on windows in a ruby
    > program. I've got some authentication code working just fine:


    In my experience, the logon call and the underlying LDAP request
    to return the tokenGroups attribute is hugely expensive. If causes
    the DC to do calls to other DCs including the GC server. We do
    this where absolutely necessary, but it definitely isn't wise
    to do it whenever you have an authorization request to evaluate.

    You should instead attempt to enumerate the group member SIDs of
    the current process token, or use one of the APIs that does this.

    I'm a bit limited unfortunately in how much more help I can give,
    as I've been out of this space for a year or two now.

    Clifford Heath.
    Clifford Heath, Mar 13, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jan Nielsen

    Checking group membership

    Jan Nielsen, Sep 2, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    1,003
    Jan Nielsen
    Sep 2, 2003
  2. cameron

    User Group Membership

    cameron, Jun 9, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,103
    John Saunders
    Jun 10, 2004
  3. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    best way of checking for Group membership?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Feb 26, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    265
    =?Utf-8?B?ZGhucml2ZXJzaWRl?=
    Feb 26, 2005
  4. Replies:
    7
    Views:
    530
    Tim Golden
    Feb 16, 2007
  5. Tino Donderwinkel
    Replies:
    2
    Views:
    735
    Tino Donderwinkel
    Jun 18, 2008
Loading...

Share This Page