[p4] Triggers and best practice authentication from scripts

Steven Bougon SBougon at ariba.com
Thu Nov 30 09:44:07 PST 2006


>you can shut down the server, delete db.trigger and restart the server
This approach is also the one Perforce Support recommended when I 
was facing the same problem (last week):
- shut down p4d
- mv db.trigger db.trigger.tmp
- restart server
- mv db.trigger.tmp db.trigger
(since the auth check get activated after a restart only)

 
Here too, we are trying to use the auth-check to authenticate with 
LDAP. So far, so good, except that I wanted to have some users without
any password at all (since p4 protect allows these users to work only
on a certain IP which is totally secure), so I was hoping to write in 
my script: if ($user eq "mySpecialUser) {exit(0);}
but p4 login still prompts for a password unfortunately
(of course, you can provide any string and "mySpecialUser" gets
authenticated,
but still a bummer).

So right now, we are going through the fun of:
- users that are not in Active Directory => create accounts in ldap
- p4 user with a different name in Active Directory => mapping
- find a solution for all the scripts running with some p4 users
that used to be passwordless

With the auth-check trigger, I'm not sure how relevant is the server
security 
level (0,1,2 or 3). Any idea ?

Steven
-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of Stephen Vance
Sent: Thursday, November 30, 2006 7:08 AM
To: Finn Normann Pedersen
Cc: perforce-user at perforce.com
Subject: Re: [p4] Triggers and best practice authentication from scripts

Ahhhh. If we're talking about extreme measures, you can shut down the
server, delete db.trigger and restart the server. You could do it more
surgically by checkpointing (directly from p4d), removing the offending
trigger line and restoring your checkpoint.

Steve

Finn Normann Pedersen wrote:
> Hi Stephen,
>
> He he ... agree on paranoid defensive programming, but however in this

> case when you add the auth-check trigger, the entire authentication 
> system is hooked to an external program, which means that if my 
> external program doesnt work for some reason (LDAP down, moved, 
> reconfigured DN,CN) I cannot access the P4 database and remove or 
> alter the trigger.
>
> That was why I asked if there was another way to remove the trigger, 
> other than "p4 triggers".
>
> Regards,
>  Finn
>
>
>
> On 11/30/06, Stephen Vance <steve at vance.com> wrote:
>>
>>  Just implicitly by removing or replacing the trigger script.
>>
>>  I'd just advocate paranoid levels of defensive programming.
>>
>>  Steve
>>
>>
>>  Finn Normann Pedersen wrote:
>>  Thanks for all the nice replies !
>>
>> A related question on triggers - can you (somehow) remove triggers 
>> without access from a super account, e.g. directly from the server.
>> While auth-check features are nice, script errors kinda lock up 
>> access to P4!?
>>
>> (and yes, I do use a test server while jinxing these scripts)
>>
>> Cheers,
>>  Finn
>>
>>
>> Matthew Janulewicz wrote:
>>
>>
>>  I believe this is true.
>>
>> When I take my laptop home and log in through our VPN, I get asked to

>> log in again. When I come back to work, I log in a second (third,
>> really) time.
>>
>> I don't believe I have a static IP address at work, though. Perhaps 
>> it has something to do with hostname? Or maybe I'm just nuts?
>>
>>
>> -Matt
>>
>>
>> -----Original Message-----
>> From: Greg Whitfield [mailto:g.whitfield at computer.org]
>> Sent: Wednesday, November 29, 2006 1:06 PM
>> To: 'Tetlow, Gordon'; 'Elkins, Mark'; 'Finn Normann Pedersen'
>> Cc: perforce-user at perforce.com
>> Subject: Re: [p4] Triggers and best practice authentication from 
>> scripts
>>
>> I may be wrong on this, but I have a vague recollection that the 
>> ticket gets reset if you login from another IP address as the same 
>> user. If this happened then the trigger would start to fail until you

>> did another p4 login from the machine upon which the triggers were 
>> executing.
>>
>> Worth checking, and perhaps enforcing with the protections table to 
>> only allow your background user account access from a single IP
address.
>>
>> Greg
>> ~~~~
>>
>>
>>
>>
>> -----Original Message-----
>> From: perforce-user-bounces at perforce.com
>> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Tetlow, 
>> Gordon
>> Sent: 29 November 2006 20:02
>> To: Elkins, Mark; Finn Normann Pedersen
>> Cc: perforce-user at perforce.com
>> Subject: Re: [p4] Triggers and best practice authentication from 
>> scripts
>>
>> Security level is meaningless when you have an auth trigger.
>>
>> You *must* use 'p4 login' when you have an auth trigger. Using p4 -P 
>> mypass doesn't work anymore.
>>
>> I would recommend you run your triggers as a background user with a 
>> really long timeout. Just add the user to a group with a timeout of 0

>> and you should be set until 2038 or so.
>>
>> -gordon
>>
>>
>>  _______________________________________________
>> perforce-user mailing list - perforce-user at perforce.com 
>> http://maillist.perforce.com/mailman/listinfo/perforce-user
>>
>>
>>
>
_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user




More information about the perforce-user mailing list