Post on 27-Mar-2015
transcript
Web-Based NT Administration
Via Perl
George KuetemeyerThomas Jefferson University Hospital
George.Kuetemeyer@mail.tju.edu
TJU/H Mission
Patient care Education Research
George.Kuetemeyer@mail.tju.edu
TJU/H Demographics
9,000 faculty/staff 3,500 students
George.Kuetemeyer@mail.tju.edu
TJU/H IT Infrastructure
ATM network 5,000 PC’s, Macs IBM mainframe Tandem mainframe Unix/Linux servers NT servers NetWare servers
George.Kuetemeyer@mail.tju.edu
Application Infrastructure
Mail*Hub mail switch/X.500 directory Authentication Role data
HP OpenMail (4,500 faculty/staff) CS&T OpenTime (2,100 clients) PeopleSoft IDX/Last Word
George.Kuetemeyer@mail.tju.edu
The Problem
Migration from NetWare to NT NT admin tool issues NT security model issues Support staff training issues Competing business models Generalized fear and loathing
George.Kuetemeyer@mail.tju.edu
NT Admin Tool Issues
GUI Interface not ideal for batch updates Command line control limited Batch file scripting limited Scripting host proprietary Platform-limited remote control
capabilities
George.Kuetemeyer@mail.tju.edu
NT Security Model Issues
Not very granular (as exposed by the GUI tools)
Not hierarchical (like NetWare 4.XX) No obvious link to our X.500 directory Didn’t fit our IT support roles
George.Kuetemeyer@mail.tju.edu
Support Staff Training Issues
GUI tools unfocused Command line approach not user
friendly
George.Kuetemeyer@mail.tju.edu
Competing Business Models
Microsoft’s take on security different than ours
Monolithic technology vs. diverse technologies
Proprietary vs. open solutions Commercial vs. non-profit environments
George.Kuetemeyer@mail.tju.edu
Fear and Loathing
Microsoft replaces our favorite technologies
Microsoft replaces us ‘The Dark Side’ Syndrome
George.Kuetemeyer@mail.tju.edu
General Problem
Vendor’s Reality
George.Kuetemeyer@mail.tju.edu
General Problem
Vendor’s Reality Our Reality
George.Kuetemeyer@mail.tju.edu
General Solution
Vendor’s Reality Our RealityFilter
George.Kuetemeyer@mail.tju.edu
General Solution
Vendor’s Reality Our RealityFilter
George.Kuetemeyer@mail.tju.edu
General Solution
Vendor’s Reality Our RealityFilter
George.Kuetemeyer@mail.tju.edu
The Solution - Perl
Powerful Cross platform Easy entrée to NT internals Roll our own admin tools Make them networkable Tie in our legacy systems
George.Kuetemeyer@mail.tju.edu
Phase 1 - Local Administration
Standardize on Perl Start by ‘back-ticking’ various command
line functions Replace with Perl/NT admin API
packages as they become available
George.Kuetemeyer@mail.tju.edu
Useful NT Admin Packages
Win32::NetAdmin.pm Win32API::Net.pm Win32::AdminMisc.pm Win32::DomainAdmin.pm Win32::FileSecurity.pm
George.Kuetemeyer@mail.tju.edu
Phase 2 - Remote Administration
IO::Socket-based client inetd from Pragma Systems
Useful companion for pre-fork NT Perl
Also provides telnet daemon Perl-based request server called by inetd Server interfaces with modular “methods”
package System can work with command line or
web delivery mechanisms
George.Kuetemeyer@mail.tju.edu
User Interface CGI Processing
Client Process Server Process
Authentication
Perl NT Methods
X.500 Directory
Web Admin Overview
Authentication
NT Environment
George.Kuetemeyer@mail.tju.edu
User Interface CGI Processing
Client Process Server Process
Authentication
Perl NT Methods
X.500 Directory
Platform Overview
Authentication
NT Environment
NT
HP/UX
Linux/Apache
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Authentication
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
X.500 Name/Password
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Main Menu
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Create Client Object
Use K_Client;
my $client = K_Client->new(host => ‘pdc.jeff.com’, port => 2000, sender => $param{‘sender’}, pwd => $param{‘pwd’}, key_file => ‘/usr/local/keys/nt.txt’, );
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Send Request
$client->build_request(method => ‘get_user_list’, server => ‘’, );my $ok = $client->send_receive();my $err = $client->get_errorcode(0);my @users = $client->get_result(0);my $msg = $client->get_msg(0);return ($ok,$err,$msg,\@users);
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Server Object
use K_Server;use K_Methods::NT_Admin;use X500_Auth;
my $hosts = { www.jeff.edu => 1, pdc.jeff.edu => 1 }; my $methods = K_Methods::NT_Admin->new();my $server = K_Server->new(methods_obj => $admin, auth_sub => \&X500_Auth::auth_client, work_dir => 'd:/ntadmsrv’, server_name => 'K_Server', log_file => ’d:/logs/k_admin.log', key_file => ’d:/keys/nt.txt', event_log => 1, ok_hosts => $hosts, );$server->handle_request();
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Methods data structure
$self->{‘methods’} = { get_user_list => { method => sub { $self->get_user_list(@_) }, params => [ server ], role => $ops, event_id => 15, false_msg => sub { my %p = @_; return "Failed to get user list." }, true_msg => sub { my %p = @_; return "Got user list." }, }, . . .
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Methods role attribute
$self->{‘roles’} = { super_acct => 3, acct => 2, ops => 1, all => 0, };
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Core subroutine
# generate list of users
sub get_user_list {my $self = shift;my %params = @_;my (@users);
Win32::AdminMisc::GetUsers($params{'server'},'',\@users);return \@users;
}
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Create Account
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Create Account
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Create Account
$client->build_request(method => ‘create_user’, server => ‘’, user => $param{‘user’}, type => ‘user’, abort => 1, );$client->build_request(method => ‘set_user_pwd’, server => ‘’, user => $param{‘user’}, pwd => ‘tmp_pass’, );$ok = $client->send_receive();@msgs = $client->get_msgs();return ($ok,\@msgs);
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Create Account
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Main Menu
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Change Account
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Get Account Info
$client->build_request(method => ‘get_user_attrs’, server => params{‘server’}, user => params{‘user’});$client->build_request(method => ‘get_user_global_groups’, server => params{‘server’}, user => params{‘user’});$client->build_request(method => ‘get_global_groups’, server => params{‘server’});
$ok = $send_receive();@msgs = $client->get_msgs();%attrs = $client->get_result(0);@user_grps = $client->get_result(1)@grps = $client->get_result(2);return ($ok,\@msgs,\%attrs,\@user_grps,\@grps);
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Account Info
George.Kuetemeyer@mail.tju.edu
NT Admin Walkthru
Back end logging
George.Kuetemeyer@mail.tju.edu
Project Results
Our security policies enforced NT becomes part of larger IT
infrastructure IT staff supports NT with minimal training Change effectively managed (Win2K) Innovation modulated by our business
realities
George.Kuetemeyer@mail.tju.edu
NT Admin Futures
Replace inetd with Perl fork Recode admin methods to support
LDAP/Active Directory Spend more time on web client interface