#1
  1. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21

    Angry How to get Servlet / JSP to runas for a windows command line executable


    Problem: I have a jsp that users authenticate to using their windows domain account. They are authenticated against a DC. That part works. I need for them to be able to click a button that runs an "admod" command (on the web server) as them.

    So if I authenticate to the webserver on the "main.jsp " as "jon.smith", when I click the "create user" button, I want it to create a user as "jon.smith". Basically, a web enabled version of "run as".


    Currently: When the users click the button I have it hard coded to do a "dir", which works. But when I set it to run the admod command to create a test user "First Middle Last", I get the following on my Process object (Input / Error Stream Reader) in the stdout logs in Tomcat:


    Code:
    COMMAND: admod -b "cn=Last\, First Middle,OU=Test Users OU,DC=my,DC=company,DC=com" -add "objectclass::user" "userAccountControl::514" "samAccountName::first.Middle.Last" "userPrincipalName::First.Middle.Last@my.company.com" givenName::First" "initials::Middle" "sn::Last"
    ERROR>
    ERROR>AdMod V01.10.00cpp February 2007
    ERROR>
    OUTPUT>DN Count: 1
    OUTPUT>Using server: myServerIP.my.company.com:389
    OUTPUT>
    ERROR>: [myServerIP.my.company.com] Error 0x32 (50) - Insufficient Rights
    OUTPUT>Adding specified objects...
    OUTPUT>   DN: cn=Last\, First Middle,OU=Test Users OU,DC=my,DC=company,DC=com...
    OUTPUT>
    OUTPUT>ERROR: Too many errors encountered, terminating...
    OUTPUT>
    OUTPUT>The command did not complete successfully
    OUTPUT>
    But if I copy the admod command that is run from the logs into the command line, it executes with no error, and the user is created.

    This would indicate that the permission error is not accurate, and something else is wrong.

    Any ideas?

    SK
  2. #2
  3. Feelin' Groovy
    Devshed Supreme Being (6500+ posts)

    Join Date
    Aug 2001
    Location
    Chicago, IL
    Posts
    10,131
    Rep Power
    5058
    Any ideas?
    You may have permissions to run the command, but it appears that your web server does not.

    ~
    Yawmark
    class Sig{public static void main(String...args){\u0066or(int
    \u0020$:"v\"ʲ\"vΤ\"".to\u0043h\u0061rArray()
    )System./*goto/*$/%\u0126//^\u002A\u002Fout.print((char)(($>>
    +(~'"'&'#'))+('<'>>('\\'/'.')/\u002Array.const(~1)\*\u002F)));}}
  4. #3
  5. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21

    I think I follow


    When you say "webserver" are you referring to the owner of the Tomcat process, or something else?

    For my test, I took the admod command from the log (on the webserver) and opened a command prompt (on the webserver) and pasted it in there and it worked.

    So when the servlet executes, it must be executing as "Tomcat" or "java" or "System" or who knows what...

    In either case, how do I tell java to "runas". Here is my code, where "cmd" is a String with the "admod...".

    Code:
    ...
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec(cmd);
    exitVal = proc.waitFor();
    ...
  6. #4
  7. Feelin' Groovy
    Devshed Supreme Being (6500+ posts)

    Join Date
    Aug 2001
    Location
    Chicago, IL
    Posts
    10,131
    Rep Power
    5058
    When you say "webserver" are you referring to the owner of the Tomcat process, or something else?
    Yes.

    In either case, how do I tell java to "runas".
    Check the "setup" section of the Tomcat documentation, for example: http://tomcat.apache.org/tomcat-6.0-doc/setup.html

    More to the point, however, why aren't you using JNDI for this? Active Directory exposes an LDAP interface.

    ~

    Comments on this post

    • Nemi agrees : LDAP may be the way to do this
    Yawmark
    class Sig{public static void main(String...args){\u0066or(int
    \u0020$:"v\"ʲ\"vΤ\"".to\u0043h\u0061rArray()
    )System./*goto/*$/%\u0126//^\u002A\u002Fout.print((char)(($>>
    +(~'"'&'#'))+('<'>>('\\'/'.')/\u002Array.const(~1)\*\u002F)));}}
  8. #5
  9. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21

    So True...


    You have a point, and I agree. I argued the same point. The reason I was disallowed from using JNDI was because I was informed that JNDI will not generate a transaction log entry on the "Net Pro" program running on the AD Server.

    ADMOD commands do, and they want to be able to see who did what when. Net Pro is a software utility that gives reports / graphs, etc for all kinds of AD interactions.

    Its like a glorified GUI with reporting capabilities of all the security / application / system logs, but from an AD point of view.

    Anyway, I am going to have to convince them to use JNDI since there seems to be no method of doing a "runas".
  10. #6
  11. <- My daily commute :^)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Earth. Welcome.
    Posts
    1,500
    Rep Power
    1702
    Disclaimer: I don't really know if this will work - I'm just tossing something out here. Would it be possible to edit your service in the Windows so that it uses an account which is authorized to make your changes - similar to a "run as"?

    What I'm saying to try on the Tomcat server is this:
    1) Right-click "My Computer" and select "Manage"
    2) Expand "Services and Applications"
    3) Click Services
    4) Right-click the Tomcat service and select "Properties"
    5) Select the "Logon" tab
    6) Browse to an account that has the needed permissions
    7) Type the password for that account

    Would that work? (Sorry for the walk-through, I just wanted to be sure I was clear where to make the changes...)

    [EDIT] I should also add that it probably will be necessary to modify that user account such that it has the "log on as a service" right.
    Last edited by mrider; June 13th, 2007 at 03:40 PM.
    A -> B: Ride.
  12. #7
  13. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21
    Thanks for the input mrider, but the requirement is that clients need to be able to log in to do this.

    So lets say there are 5 admins out there. I want them to be able to log into the webserver (doing a bind), then execute a command that runs as them.

    If I hardcode an account to run the service, it would not run as the admin who is logged in.

    Update: I convinced them to let me use JNDI, and I have working code to modify user attributes... what I don't have is a sample code to create user accounts.

    Can you send me a good link / sample code? Thanks

    Comments on this post

    • mrider agrees : "the requirement is that clients need to be able to log in to do this." - Oh well, I tried... :)
  14. #8
  15. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21

    Net Pro logging


    Okay, finished testing the modify attributes, they work.

    And for those that may find themselves in my shoes: JNDI DOES in fact generate logs for the Net Pro software...

    If I had only known this a week ago, lol

    Lastly, I still need a good example of creating a user on the JNDI, I saw a few examples on google, but a bit complicated. Anyone have a simple class AddUser() ?

    thanks.

IMN logo majestic logo threadwatch logo seochat tools logo