[p4] active directory authentication

Tam Pham Tam.Pham at zoran.com
Mon May 1 10:37:08 PDT 2006 

Greg,

You can run another instance of Perforce server on different port and
use this instance for authentication only. So you can do: 

    auth-check (instance on port 1666)
        - attempt authentication against AD (which I have working)
        - if success; exit 0
        - if failure;
            - attempt <use another Perforce instance on port 1667> (p4
-p 1667 login)
		- You can also use MySQL, hard code the user/password in
the script, etc...
            - if success; exit 0

Attempt to use internal P4 DB may result in circular loop. Removing the
trigger temporarily to use P4 DB may result in failed authentication for
other users who may be logging in simultaneously.

Regards,

Tam

-----Original Message-----
From: Greg Barwis [mailto:gbarwis at ncsoft.com] 
Sent: Friday, April 28, 2006 1:36 PM
To: G. Matthew Rice; Craig A
Cc: Tam Pham; manual at perforce.com; Paul Goffin;
perforce-user at perforce.com
Subject: RE: [p4] active directory authentication

Mr. Rice -

Were you, perchance, ever corrected in your assumptions on this?

Essentially, we need to accomplish the same sort of thing:

    auth-check
        - attempt authentication against AD (which I have working)
        - if success; exit 0
        - if failure;
            - attempt <use internal Perforce DB>
            - if success; exit 0

Problem is, short of MS-DOS batch file scripting, I am no sort of
programmer... so wouldn't even know where to begin with this.  I have
the first part working using an auth-check trigger, so all Perforce
users who have similarly-named Active Directory accounts are able to
auth with their AD credentials.  The trick is that we also have a
handful of critical accounts on our Perforce server that do not have
(and should not have) corresponding AD accounts.  Some of these are used
for automated processes, others are used for "visiting dignitaries,"
still others are used by users in overseas offices that are outside of
our AD forest.

Has anybody been able to successfully implement this sort of
pseudo-code, so that the internal Perforce db can be used as a fallback
in the event of AD authentication failure?

Thanks,

Greg Barwis
NC Soft Corporation
512.498.4040 w
512.751.1296 c
512.498.4099 f

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of G. Matthew Rice
Sent: Wednesday, February 22, 2006 7:51 AM
To: Craig A
Cc: 'Tam Pham'; manual at perforce.com; 'Paul Goffin';
perforce-user at perforce.com
Subject: Re: [p4] active directory authentication

"Craig A" <bfquiz at yahoo.com> writes:
> Matthew, I'm not quite sure I understand what you mean by this:
> 
> >> You still won't be storing the passwords in the Perforce database,
> though. 
> Are you referring to just the auth-set side of the equation?
> 
> Shouldn't your procedure for auth-check be:
> 
>     auth-check
>         - attempt authentication against remote auth server
>         - if success; exit 0
>         - if failure;
>             - attempt 'p4 login'
>             - if success; exit 0
> 
> 
> If I am checking against LDAP/Active Directory and it fails for
whatever
> reason, and I then have the trigger fall back on attempting a 'p4
login',
> that is checking against the password stored in the p4 database,
right?

The only problem that I see is that it is the 'p4 login' that got you to
the trigger.  So, if your trigger calls 'p4 login', Perforce is just
going to call your trigger again...and again...

Unless you're prepared to dynamically modify the triggers (ie. remove
the auth-check trigger so that Perforce will look in its own DB), I
don't see how you can 'revert' to checking against the Perforce db's
passwords.  And this wouldn't be a good idea.

That said, it wouldn't be much extra code in your trigger to encrypt the
password (for the user that doesn't have ADS entries) and save it in a
local file.


> Basically I want to tell my users "You can either use your Active
Directory
> password, or use the Perforce password". 

>From what I've seen/read on the auth-* triggers, you don't get to have
it
both ways.

I wouldn't mind being corrected on my assumptions, BTW :)

HTH,
-- 
g. matthew rice <matt at starnix.com>           starnix, toronto, ontario,
ca
phone: 647.722.5301 x242                                  gpg id:
EF9AAD20
http://www.starnix.com              professional linux services &
products
_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user

More information about the perforce-user mailing list