how to check for group membership in windows?

  • Thread starter Ball, Donald A Jr (Library)
  • Start date
B

Ball, Donald A Jr (Library)

Apologies if this is too off-topic, but I can't think of where else to
start looking. I need to test for group membership on windows in a ruby
program. I've got some authentication code working just fine:

require 'dl/win32'

LOGON32_LOGON_NETWORK =3D 3
LOGON32_PROVIDER_DEFAULT =3D 0
BOOL_SUCCESS =3D 1
AdvApi32 =3D DL.dlopen('advapi32')
Kernel32 =3D DL.dlopen('kernel32')

def authenticate_user_from_windows(username, password, domain)
# Load the DLL functions
logon_user =3D AdvApi32['LogonUser', 'ISSSIIp']
close_handle =3D Kernel32['CloseHandle', 'IL']
# Normalize username and domain
username =3D username.strip.downcase
domain =3D domain.strip.downcase
# Authenticate user
ptoken =3D "\0" * 4
r,rs =3D logon_user.call(username, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ptoken)
success =3D (r =3D=3D BOOL_SUCCESS)
# Close impersonation token
token =3D ptoken.unpack('L')[0]
close_handle.call(token)
return success
end

and now I need some authorization help. I've been browsing msdn for
hours to no avail; can anyone point me in the right direction? Merci.

Also, in the code above, should close_handle.call(token) be invoked in
an ensure block if logon_user.call failed for some reason, or would that
imply the ptoken object doesn't need to be cleaned up?

- donald
 
C

Clifford Heath

Ball said:
Apologies if this is too off-topic, but I can't think of where else to
start looking. I need to test for group membership on windows in a ruby
program. I've got some authentication code working just fine:
Click to expand...

In my experience, the logon call and the underlying LDAP request
to return the tokenGroups attribute is hugely expensive. If causes
the DC to do calls to other DCs including the GC server. We do
this where absolutely necessary, but it definitely isn't wise
to do it whenever you have an authorization request to evaluate.

You should instead attempt to enumerate the group member SIDs of
the current process token, or use one of the APIs that does this.

I'm a bit limited unfortunately in how much more help I can give,
as I've been out of this space for a year or two now.

Clifford Heath.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DLL Function Type Specifications 0
Newbie Rails Authentication Woes 1
Asp.net Impersonation:Accessing file Server from https 0
Windows Server 2008 impersonation. 3
S4U Kerberos for calling WCF services 4
Facing problem while accessing virtual server count in Sharpeoint using SPGlobalAdmin 0
Access denied. delegation scenario accessing to a shared resource in cluster 1
Save File to Server on Different Domain 0

Members online

Total: 99 (members: 4, guests: 95)
Robots: 80

Forum statistics

Threads
473,968
Messages
2,570,152
Members
46,698
Latest member
LydiaHalle

Latest Threads

Top