Home

Building and Integrating a Small Office Intranet

Issue 151

From Issue #151
November 2006

Sep 30, 2006  By Dave Jones
 in
This “how we did it” story includes valuable tips for building an intranet that integrates enterprise services in a user-friendly way.

Listing 1. getempinfo.pl


#!/usr/bin/perl -w
use Net::LDAP;
use strict;

my $cn=$ARGV[0] || "none";
my $attr=$ARGV[1] || "none";

##: If nothing was given on command line then return
if($cn eq "none") {
  print STDERR "ERROR: No LDAP cn given\n";
  exit(1);
}

##: Bind anonymously to the ldap database
my $ldap=Net::LDAP->new('directory.domain.com',timeout=>5)
  or die "Couldn't connect to directory server.\n";
my $mesg=$ldap->bind('proxyuser@domain.com',password=>'proxyuser')
  or die "Couldn't connect to directory server.\n";

##: Query LDAP to get a list of employees
if($attr ne "none") {
  $mesg=$ldap->search( base=> "ou=Domain Users,dc=domain,dc=com",
                       filter=> "(sAMAccountName=$cn)",
                       attrs=> ['givenName','sn',"$attr"] );
} else {
  $mesg=$ldap->search( base=> "ou=Domain Users,dc=domain,dc=com",
                       filter=> "(sAMAccountName=$cn)",
                       attrs=> ['givenName','sn'] );
}

my $count=$mesg->count();
($count==1) or die "Error: LDAP enumeration error.";

my $entry=$mesg->entry();
my $value;
my @values;
if($attr ne "none") {
  $value="";
  @values=$entry->get_value("$attr");
  my $i=1;
  for(@values) {
    if($i>1) {
      $value.="/$_";
    } else {
      $value.=$_;
    }
    $i++;
  }
} else {
  $value=($entry->get_value('givenName')." ";
  $value.=$entry->get_value('sn'));
}

##: See if that attribute was defined for the given cn
if(!(defined($value))) {
  print STDERR "ERROR: That attribute was not defined.\n";
  exit(1);
}

$mesg=$ldap->unbind;
print("$value\n");
Active Directory Integration

Another valuable addition to our intranet was integrating it with our Active Directory user database via LDAP. We use this to provide a company directory that lists all of our employees. The directory is built in real time whenever it is accessed, and that is a major time-saver for administrators. Whenever new users are added using the normal Active Directory tools, they instantly show up in the intranet directory. We also allow our users to edit their own personal information, and those edits are put into the Active Directory by the CGI script. The process is relatively straightforward, although there are some things to take into consideration. Let me walk you through the process of how we set this up.

The first thing we do is create a proxy user called proxyuser in Active Directory. This is the user name our scripts use to authenticate with LDAP. The proxy user is granted rights to read and write information on user objects within the ou=Domain Users container. That's all that needs to be done within Active Directory. We use Perl for our CGI, so that means using Net::LDAP. Here is how we connect to Active Directory from within a CGI script: 

##: Active Directory connection
use Net::LDAP;

my $ldap=Net::LDAP->new('adserver.domain.com');
my $mesg=$ldap->bind('proxyuser@domain.com',
                      password=>'proxyuser'  );

Notice the syntax that Active Directory requires for the user name field. It's one of the unique requirements of Active Directory's LDAP interface. Now that we are connected to the directory, we do a query to find all the user objects in the ou=Domain Users container: 

##: Query LDAP to get a list of employees
my $basedn="ou=Domain Users,dc=domain,dc=com";
my $filter="(objectClass=user)";
$mesg=$ldap->search(
  base=> $basedn,
  filter=> $filter,
  attrs=> ['givenName','sn','mail',
           'telephoneNumber','streetAddress',
           'l','st','department','postalCode',
           'employeeNumber','homePhone',
           'title','sAMAccountName' ]
  );

This returns all of the user objects in that container, along with all of the pertinent attributes you would expect to find in a company directory. We now can refine our search filter to limit our search to only those users whose last name starts with a letter passed to the CGI script in its URL. This allows us to follow an address-book format, so we don't have to display all 70 users at once. We fall back to the letter a if no letter was asked for in the URL: 


##: Get letter requested in the URL
my $letter;
$letter=param('letter') || "a";
...
my $filter="(&(objectClass=user) (sn=$letter*))";

If you aren't familiar with the syntax used by LDAP search filters, I suggest you look over RFC-2254. At this point, we can iterate over our query results and prettify them as needed. Because we also looked up this user's SSC information, we can check each employee's sAMAccountName as we go through the loop. When we find the employee that corresponds to the person SSC says is viewing the page, we add a link by the employee's name that allows him or her to go to an area to edit the directory information. It looks like this: 


##: Display the directory
foreach my $entry ($mesg->sorted('sn')) {

  my $san=$entry->get_value('sAMAccountName');
  $empdir.="<div class='empcard'>";
  if(lc($cn) eq lc($san)) {
    ##: This is our man.  Add a button.
    $empdir.="<a href='empedit.cgi'>Edit</a>";
  }
  $empdir.="<span id='name'>";
  $empdir.=$entry->get_value('givenName')." ";
  $empdir.=$entry->get_value('sn');
  $empdir.="</span><br>";
  $empdir.="<span id='title'>";
  $empdir.=$entry->get_value('title').";
  $empdir.="</span><br>";
  ...
  $empdir.="</div>";

}
print STDOUT $empdir;
$mesg=$ldap->unbind();

______________________

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions