Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Here is a real nail bitter of a problem.

The code that follows works perfects from the commandline. The variable $foo returns "1", which it should. If i change the $pword to something other than password, it returns "0", again as it should.

however, if i run this as a CGI Script $foo ALWAYS returns as "0" regardless to whether the password is correct or not.

Any thoughts on the subject would be great. The only thing i have changed in the below code is the "my" and "domain". Nothing else has been modified from what I ran locally. 
#!/usr/bin/perl -w
use strict;
use CGI;
use Win32::OLE;

my $uname = "testuser";
my $pword = "password";

my $foo = &authuser($uname,$pword);

my $query = CGI::new();
print $query->header;

print "$foo \n";

sub authuser {

    my($uname,$pword) = @_;

    my $adpath = 'LDAP://DC=my,DC=domain,DC=edu';

    my $strAttributeName  = "userPrincipalName";
    my $strAttributeValue = $uname;

    my $ad_server  = Win32::OLE->GetObject ('LDAP:') or die $!;
    my $check_user = $ad_server->OpenDSObject($adpath, $uname, $pword,
+ 1);

    if (!Win32::OLE->LastError()) {
        return(1);
    } 

    return(0);
}

[download]

Replies are listed 'Best First'.
Re: Windows Authentication through IIS
by davidrw (Prior) on Jun 16, 2005 at 13:43 UTC
    Perhaps try Net::LDAP instead of going through Win32::OLE as a workaround?

    My only thought for the above is that when run as a CGI, it's running as the IIS user windows account (but when you try from cmdline you're using your windows account), which for some reason doesn't have permission to create or use the LDAP OLE object. What is the value of Win32::OLE->LastError()?
[reply]
[d/l]
      Thats interesting. the error is: 
      Win32::OLE(0.1502) error 0x8007054b: "The specified domain either does
+ not exist or could not be contacted" in METHOD/PROPERTYGET "OpenDSOb
+ject"

      [download]

      Which looks like it can't find the domain. However, when i run it from the commandline on the same box its fine.

      I wonder if IIS has a setting that needs toggled to make this work. I'll start digging. This is the first time I've done anything for IIS in several years, normally I code for linux/apache.
[reply]
[d/l]

        Looks like the useraccount IUSR_srvname doesn't know anything about the domain and can't find your domain controller automatically...

        Try one of the following:

        my $ad_server  = Win32::OLE->GetObject ("LDAP://servername")
  or die $!;

        [download]
        or 
        my $adpath = "LDAP://$server/DC=my,DC=domain,DC=edu";

        [download]
        or perhaps use GC: instead of LDAP: (GC is Global Catalog)

        Best regards,
        perl -e "s>>*F>e=>y)\*martinF)stronat)=>print,print v8.8.8.32.11.32"

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom