[p4] LDAP authentication with encryption
Paul Goffin
paul.goffin at dsl.pipex.com
Mon Feb 26 23:25:36 PST 2007
Your IT admin is right to be concerned.
But the Perforce server to AD server connection isn't the real problem -
that can be done with a VLAN for acceptable security if necessary.
The trouble is the connection to the Perforce server. That's from multiple
desktops to the Perforce server and isn't encrypted. That's where the
passwords will be sniffed.
If you are intending to use your Windows passwords within Perforce, you'll
need to put Perforce behind a SSH server and put SSH on the desktops. Or
use an SSL-VPN or something similar.
Perforce, on it's own, isn't up to the job. (To be clear, Perfroce have
never claimed otherwise.)
Paul.
-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of markm at emeter.com
Sent: 27 February 2007 00:23
To: MJanulewicz at greendotcorp.com; perforce-user at perforce.com
Subject: Re: [p4] LDAP authentication with encryption
Hi Matt,
Thanks for the prompt reply. And it is Active Directory that I am using for
user authentication, so I apologize for any confusion.
Is that perl script that you are using in the Perforce public depot? Or is
it something that you would be willing to share? I received a script from
Perforce tech support (which I am attaching) that just uses simple
authentication for binding to Active Directory. And my IT admin is concerned
about sending clear text passwords around the network.
Thanks,
Mark
-----Original Message-----
From: Matthew Janulewicz [mailto:MJanulewicz at greendotcorp.com]
Sent: Monday, February 26, 2007 4:17 PM
To: Mark MacDonald; perforce-user at perforce.com
Subject: RE: [p4] LDAP authentication with encryption
I'm not hugely knowledgeable about LDAP, but I got authentication to work
with Active Directory. We're using a perl script that uses the Net::LDAP
library from cpan to connect (attempt a bind.) We originally were not sure
if it encrypted the password, so we set a sniffer loose on it and were not
able to find any passwords being sent across in plain text. Your mileage may
vary.
At the very least you should be able to find a library to support ssl
(LDAPS) to send encrypted info across the wire to the server. However, you
of course will need an LDAP server at the other end that understands the
encrypted data once it gets there. The CPAN module seems to handle this
pretty easily.
Lastly, we did discover that if you have verbose logging turned on for the
Perforce server, the particular script and library we use will write
passwords in plaintext in the log. Look out for that.
-Matt
-----Original Message-----
From: markm at emeter.com [mailto:markm at emeter.com]
Sent: Monday, February 26, 2007 10:14 AM
To: perforce-user at perforce.com
Subject: [p4] LDAP authentication with encryption
Has anyone set up Perforce to use LDAP as an external authentication method,
and to also encrypt the authentication communication to the LDAP server?
Perforce tech support provided an authentication script that works fine,
except for the fact that it only uses simple authentication with the LDAP
server. This method sends the passwords in clear text between the Perforce
server and the LDAP server. Has anyone written a similar trigger that uses
an encrypted binding to the LDAP server?
Thanks,
Mark
_______________________________________________
perforce-user mailing list - perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user
More information about the perforce-user
mailing list