Rainer Meier <r.me...@wpkg.org> writes: > I personally don't feel this to be much less complex. On the other side I am > not > fully against the "system" attribute - but I think it might be even more > helpful
[...]
> However I am thinking about some basic OS version matching within the profile
> (and maybe within the host database as well).
My version specific stuffs are mainly windows configurations (services,
network settings, firewalls, …) some of them which works on winXP does
not on win7.
> And here the bad side-effects usually start. There is only a very limited
> number
> of people out there able to read and test this code. Debugging will get harder
> and changes to break something increase. More over we know that WSH is not
> supported by Microsoft any more. It might happen that WSH scripts will not get
> access to specific objects in the future if Microsoft changes the security
> settings.
>
> As I said accessing LDAP/AD from WPKG introduces a change in the basic
> architecture.
> Remember that wpkg.js is executed on the client. Currently in most
> installation the only communication done by wpkg.js to the servers is
> SMB/CIFS file system access (fetching XML, fetching data). Adding
> LDAP/AD support requries WPKG to communicate from the client directly
> with LDAP servers. This is pretty likely to introduce issues with
> firewalls and other network issues.
I'm not sure to understand everything but GetObject("WinNT://") does not
use LDAP (that what tcpdump told me), so no need to configure base-dn,
bind credential, I think that what ever backend you have
(samba/openLDAP, AD, NT4) it should work.
> What is also not clear to me is the way AD is accessed. As far as I
> know AD does not allow anonymous binding. So either WPKG has to read
> credentials from config.xml or get it via parameters. Parameters is a
> bad idea since updating the credentials would require deploying new
> settings to all clients. But config.xml would also be critical since
> the credentials would have to be protected because they might be
> abused to get access (at least read-only) to AD.
>
> In any case this second communication channel to servers for sure introduces
> quite a lot of potential problems.
> If we start to support it I am sure users in larger-scale installations will
> also ask for advanced features like load-balancing and
> fault-tolerance/fallback
> on LDAP servers.
I define tow functions getDomainName() and getHostGroups() in wpkg.js, I
call getHostGroups just after main:saveEnv().
The attached JS script define the tow functions and permit to test
without running the whole wpkg.js, I saw that:
- getHostGroups works only if:
* we have a SMB/CIFS connection to a server
* the computer is defined on the server: no need to join the
workstation to the domain ("smbldap-useradd -W <computername>$" is
sufficient)
- getDomainName returns:
* The domain name of a domain member with WMI
* The configured domain (TODO: use config.xml to define it) if the
workstation is not a domain member
Again, it needs some tests against AD.
Does it look more acceptable to you?
Regards.
--
Daniel Dehennin
RAIP de l'Orne
// FIXME handle in config.xml
var ConfiguredDomain = "mydomain";
// To avoid search&replace
function dinfo(msg) {
WScript.Echo(msg);
}
function getHostname() {
var WshNetwork = WScript.CreateObject("WScript.Network");
dinfo("Host name: " + WshNetwork.ComputerName.toLowerCase());
return WshNetwork.ComputerName.toLowerCase();
}
function getDomainName() {
var strComputer = "." ;
var DomainName = null;
var WMIServiceStr = "winmgmts:{impersonationLevel=impersonate}!\\\\"
+ strComputer + "\\root\\cimv2";
var objWMIService = GetObject(WMIServiceStr) ;
var QueryRes = objWMIService.ExecQuery("Select * from Win32_ComputerSystem
where PartOfDomain=True ");
var items=new Enumerator(QueryRes);
items.moveFirst();
if (items.atEnd() ) {
// Not a domain member
if ( ConfiguredDomain != null && ConfiguredDomain != "" ) {
dinfo("Not a domain member, use " + ConfiguredDomain + " as
configured in config.xml.");
DomainName = ConfiguredDomain;
}
else {
throw new Error("Not a domain member and no domain configured in
config.xml.");
}
}
else {
var First = items.item();
DomainName = First.Domain.toLowerCase();
dinfo("Domain Name: " + DomainName);
}
return DomainName;
}
function getHostGroups() {
try {
var DomainName = getDomainName();
var HostName = getHostname();
var obj = GetObject("WinNT://"+DomainName+"/"+HostName+"$,user") ;
var Groups = obj.Groups();
for (var item =new Enumerator(Groups); !item.atEnd(); item.moveNext() )
{
var group = item.item();
dinfo("Computer group: " + group.Name);
}
}
catch (e) {
dinfo("Message: Error fetching computer groups.");
}
}
getHostGroups();
// Local Variables:
// mode: js
// coding: utf-8-unix
// End:
pgpyEmpJ6RCTh.pgp
Description: PGP signature
------------------------------------------------------------------------- wpkg-users mailing list archives >> http://lists.wpkg.org/pipermail/wpkg-users/ _______________________________________________ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
