web-based nt administration via perl george kuetemeyer thomas jefferson university hospital
TRANSCRIPT
Web-Based NT Administration
Via Perl
George KuetemeyerThomas Jefferson University Hospital
TJU/H IT Infrastructure
ATM network 5,000 PC’s, Macs IBM mainframe Tandem mainframe Unix/Linux servers NT servers NetWare servers
Application Infrastructure
Mail*Hub mail switch/X.500 directory Authentication Role data
HP OpenMail (4,500 faculty/staff) CS&T OpenTime (2,100 clients) PeopleSoft IDX/Last Word
The Problem
Migration from NetWare to NT NT admin tool issues NT security model issues Support staff training issues Competing business models Generalized fear and loathing
NT Admin Tool Issues
GUI Interface not ideal for batch updates Command line control limited Batch file scripting limited Scripting host proprietary Platform-limited remote control
capabilities
NT Security Model Issues
Not very granular (as exposed by the GUI tools)
Not hierarchical (like NetWare 4.XX) No obvious link to our X.500 directory Didn’t fit our IT support roles
Support Staff Training Issues
GUI tools unfocused Command line approach not user
friendly
Competing Business Models
Microsoft’s take on security different than ours
Monolithic technology vs. diverse technologies
Proprietary vs. open solutions Commercial vs. non-profit environments
Fear and Loathing
Microsoft replaces our favorite technologies
Microsoft replaces us ‘The Dark Side’ Syndrome
The Solution - Perl
Powerful Cross platform Easy entrée to NT internals Roll our own admin tools Make them networkable Tie in our legacy systems
Phase 1 - Local Administration
Standardize on Perl Start by ‘back-ticking’ various command
line functions Replace with Perl/NT admin API
packages as they become available
Useful NT Admin Packages
Win32::NetAdmin.pm Win32API::Net.pm Win32::AdminMisc.pm Win32::DomainAdmin.pm Win32::FileSecurity.pm
Phase 2 - Remote Administration
IO::Socket-based client inetd from Pragma Systems
Useful companion for pre-fork NT Perl
Also provides telnet daemon Perl-based request server called by inetd Server interfaces with modular “methods”
package System can work with command line or
web delivery mechanisms
User Interface CGI Processing
Client Process Server Process
Authentication
Perl NT Methods
X.500 Directory
Web Admin Overview
Authentication
NT Environment
User Interface CGI Processing
Client Process Server Process
Authentication
Perl NT Methods
X.500 Directory
Platform Overview
Authentication
NT Environment
NT
HP/UX
Linux/Apache
NT Admin Walkthru
Create Client Object
Use K_Client;
my $client = K_Client->new(host => ‘pdc.jeff.com’, port => 2000, sender => $param{‘sender’}, pwd => $param{‘pwd’}, key_file => ‘/usr/local/keys/nt.txt’, );
NT Admin Walkthru
Send Request
$client->build_request(method => ‘get_user_list’, server => ‘’, );my $ok = $client->send_receive();my $err = $client->get_errorcode(0);my @users = $client->get_result(0);my $msg = $client->get_msg(0);return ($ok,$err,$msg,\@users);
NT Admin Walkthru
Server Object
use K_Server;use K_Methods::NT_Admin;use X500_Auth;
my $hosts = { www.jeff.edu => 1, pdc.jeff.edu => 1 }; my $methods = K_Methods::NT_Admin->new();my $server = K_Server->new(methods_obj => $admin, auth_sub => \&X500_Auth::auth_client, work_dir => 'd:/ntadmsrv’, server_name => 'K_Server', log_file => ’d:/logs/k_admin.log', key_file => ’d:/keys/nt.txt', event_log => 1, ok_hosts => $hosts, );$server->handle_request();
NT Admin Walkthru
Methods data structure
$self->{‘methods’} = { get_user_list => { method => sub { $self->get_user_list(@_) }, params => [ server ], role => $ops, event_id => 15, false_msg => sub { my %p = @_; return "Failed to get user list." }, true_msg => sub { my %p = @_; return "Got user list." }, }, . . .
NT Admin Walkthru
Methods role attribute
$self->{‘roles’} = { super_acct => 3, acct => 2, ops => 1, all => 0, };
NT Admin Walkthru
Core subroutine
# generate list of users
sub get_user_list {my $self = shift;my %params = @_;my (@users);
Win32::AdminMisc::GetUsers($params{'server'},'',\@users);return \@users;
}
NT Admin Walkthru
Create Account
$client->build_request(method => ‘create_user’, server => ‘’, user => $param{‘user’}, type => ‘user’, abort => 1, );$client->build_request(method => ‘set_user_pwd’, server => ‘’, user => $param{‘user’}, pwd => ‘tmp_pass’, );$ok = $client->send_receive();@msgs = $client->get_msgs();return ($ok,\@msgs);
NT Admin Walkthru
Get Account Info
$client->build_request(method => ‘get_user_attrs’, server => params{‘server’}, user => params{‘user’});$client->build_request(method => ‘get_user_global_groups’, server => params{‘server’}, user => params{‘user’});$client->build_request(method => ‘get_global_groups’, server => params{‘server’});
$ok = $send_receive();@msgs = $client->get_msgs();%attrs = $client->get_result(0);@user_grps = $client->get_result(1)@grps = $client->get_result(2);return ($ok,\@msgs,\%attrs,\@user_grps,\@grps);
Project Results
Our security policies enforced NT becomes part of larger IT
infrastructure IT staff supports NT with minimal training Change effectively managed (Win2K) Innovation modulated by our business
realities
NT Admin Futures
Replace inetd with Perl fork Recode admin methods to support
LDAP/Active Directory Spend more time on web client interface