[p4] Triggers and best practice authentication from scripts

Sweeney, Tony sweeney at ea.com
Thu Nov 30 06:37:45 PST 2006


I should imagine that "cat > db.trigger" on the server, possibly
followed by a restart would do the trick -- it should fall back to the
existing authentication records in db.user.  Also, if you install a
broken auth-check trigger, my reading of the admin guide is that while
you still have a valid ticket, you can continue to use and admin
Perforce.  So, use a spare super account to test auth-check triggers.

Tony.

quis custodiet ipsos custodes -- Juvenal VI, 347-8  

> -----Original Message-----
> From: perforce-user-bounces at perforce.com 
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Finn 
> Normann Pedersen
> Sent: 30 November 2006 13:12
> To: Stephen Vance
> Cc: perforce-user at perforce.com
> Subject: Re: [p4] Triggers and best practice authentication 
> from scripts
> 
> Hi Stephen,
> 
> He he ... agree on paranoid defensive programming, but however in this
> case when you add the auth-check trigger, the entire authentication
> system is hooked to an external program, which means that if my
> external program doesnt work for some reason (LDAP down, moved,
> reconfigured DN,CN) I cannot access the P4 database and remove or
> alter the trigger.
> 
> That was why I asked if there was another way to remove the trigger,
> other than "p4 triggers".
> 
> Regards,
>   Finn
> 
> 
> 
> On 11/30/06, Stephen Vance <steve at vance.com> wrote:
> >
> >  Just implicitly by removing or replacing the trigger script.
> >
> >  I'd just advocate paranoid levels of defensive programming.
> >
> >  Steve
> >
> >
> >  Finn Normann Pedersen wrote:
> >  Thanks for all the nice replies !
> >
> > A related question on triggers - can you (somehow) remove triggers
> > without access from a super account, e.g. directly from the server.
> > While auth-check features are nice, script errors kinda 
> lock up access
> > to P4!?
> >
> > (and yes, I do use a test server while jinxing these scripts)
> >
> > Cheers,
> >  Finn
> >
> >
> > Matthew Janulewicz wrote:
> >
> >
> >  I believe this is true.
> >
> > When I take my laptop home and log in through our VPN, I 
> get asked to
> > log in again. When I come back to work, I log in a second (third,
> > really) time.
> >
> > I don't believe I have a static IP address at work, though. 
> Perhaps it
> > has something to do with hostname? Or maybe I'm just nuts?
> >
> >
> > -Matt
> >
> >
> > -----Original Message-----
> > From: Greg Whitfield [mailto:g.whitfield at computer.org]
> > Sent: Wednesday, November 29, 2006 1:06 PM
> > To: 'Tetlow, Gordon'; 'Elkins, Mark'; 'Finn Normann Pedersen'
> > Cc: perforce-user at perforce.com
> > Subject: Re: [p4] Triggers and best practice authentication 
> from scripts
> >
> > I may be wrong on this, but I have a vague recollection 
> that the ticket
> > gets
> > reset if you login from another IP address as the same user. If this
> > happened then the trigger would start to fail until you did 
> another p4
> > login
> > from the machine upon which the triggers were executing.
> >
> > Worth checking, and perhaps enforcing with the protections 
> table to only
> > allow your background user account access from a single IP address.
> >
> > Greg
> > ~~~~
> >
> >
> >
> >
> > -----Original Message-----
> > From: perforce-user-bounces at perforce.com
> > [mailto:perforce-user-bounces at perforce.com] On Behalf Of
> > Tetlow, Gordon
> > Sent: 29 November 2006 20:02
> > To: Elkins, Mark; Finn Normann Pedersen
> > Cc: perforce-user at perforce.com
> > Subject: Re: [p4] Triggers and best practice authentication 
> from scripts
> >
> > Security level is meaningless when you have an auth trigger.
> >
> > You *must* use 'p4 login' when you have an auth trigger. Using p4 -P
> > mypass
> > doesn't work anymore.
> >
> > I would recommend you run your triggers as a background user with a
> > really
> > long timeout. Just add the user to a group with a timeout 
> of 0 and you
> > should be set until 2038 or so.
> >
> > -gordon
> >
> >
> >  _______________________________________________
> > perforce-user mailing list - perforce-user at perforce.com
> > http://maillist.perforce.com/mailman/listinfo/perforce-user
> >
> >
> >
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
> 




More information about the perforce-user mailing list