[p4] LDAP authentication with encryption

[Shawn Hladky]

That's what I originally thought too, but we ran a p4 client through a
sniffer and p4 login does NOT send passwords in plain text to the
server.

On 2/27/07, Paul Goffin <paul.goffin at dsl.pipex.com> wrote:
> Your IT admin is right to be concerned.
>
> But the Perforce server to AD server connection isn't the real problem -
> that can be done with a VLAN for acceptable security if necessary.
>
> The trouble is the connection to the Perforce server.  That's from multiple
> desktops to the Perforce server and isn't encrypted.  That's where the
> passwords will be sniffed.
>
> If you are intending to use your Windows passwords within Perforce, you'll
> need to put Perforce behind a SSH server and put SSH on the desktops.  Or
> use an SSL-VPN or something similar.
>
> Perforce, on it's own, isn't up to the job.  (To be clear, Perfroce have
> never claimed otherwise.)
>
> Paul.
>
> -----Original Message-----
> From: perforce-user-bounces at perforce.com
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of markm at emeter.com
> Sent: 27 February 2007 00:23
> To: MJanulewicz at greendotcorp.com; perforce-user at perforce.com
> Subject: Re: [p4] LDAP authentication with encryption
>
>
> Hi Matt,
>
> Thanks for the prompt reply. And it is Active Directory that I am using for
> user authentication, so I apologize for any confusion.
>
> Is that perl script that you are using in the Perforce public depot? Or is
> it something that you would be willing to share? I received a script from
> Perforce tech support (which I am attaching) that just uses simple
> authentication for binding to Active Directory. And my IT admin is concerned
> about sending clear text passwords around the network.
>
> Thanks,
> Mark
>
> -----Original Message-----
> From: Matthew Janulewicz [mailto:MJanulewicz at greendotcorp.com]
> Sent: Monday, February 26, 2007 4:17 PM
> To: Mark MacDonald; perforce-user at perforce.com
> Subject: RE: [p4] LDAP authentication with encryption
>
> I'm not hugely knowledgeable about LDAP, but I got authentication to work
> with Active Directory. We're using a perl script that uses the Net::LDAP
> library from cpan to connect (attempt a bind.) We originally were not sure
> if it encrypted the password, so we set a sniffer loose on it and were not
> able to find any passwords being sent across in plain text. Your mileage may
> vary.
>
> At the very least you should be able to find a library to support ssl
> (LDAPS) to send encrypted info across the wire to the server. However, you
> of course will need an LDAP server at the other end that understands the
> encrypted data once it gets there. The CPAN module seems to handle this
> pretty easily.
>
> Lastly, we did discover that if you have verbose logging turned on for the
> Perforce server, the particular script and library we use will write
> passwords in plaintext in the log. Look out for that.
>
>
> -Matt
>
> -----Original Message-----
> From: markm at emeter.com [mailto:markm at emeter.com]
> Sent: Monday, February 26, 2007 10:14 AM
> To: perforce-user at perforce.com
> Subject: [p4] LDAP authentication with encryption
>
> Has anyone set up Perforce to use LDAP as an external authentication method,
> and to also encrypt the authentication communication to the LDAP server?
> Perforce tech support provided an authentication script that works fine,
> except for the fact that it only uses simple authentication with the LDAP
> server. This method sends the passwords in clear text between the Perforce
> server and the LDAP server. Has anyone written a similar trigger that uses
> an encrypted binding to the LDAP server?
>
>
>
> Thanks,
>
> Mark
>
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>
>
>
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>