[p4] LDAP authentication with encryption
Jeff A. Bowles
jab at pobox.com
Tue Feb 27 15:46:32 PST 2007
>From what I've seen and heard from the folks inside Perforce on this topic,
Shawn's right - the password transmission is indeed encrypted 'twix the client
and the server. (This will also help allay security concerns.)
-Jeff Bowles
On 2/27/07, Shawn Hladky <p4shawn at gmail.com> wrote:
> That's what I originally thought too, but we ran a p4 client through a
> sniffer and p4 login does NOT send passwords in plain text to the
> server.
>
> On 2/27/07, Paul Goffin <paul.goffin at dsl.pipex.com> wrote:
> > Your IT admin is right to be concerned.
> >
> > But the Perforce server to AD server connection isn't the real problem -
> > that can be done with a VLAN for acceptable security if necessary.
> >
> > The trouble is the connection to the Perforce server. That's from multiple
> > desktops to the Perforce server and isn't encrypted. That's where the
> > passwords will be sniffed.
> >
> > If you are intending to use your Windows passwords within Perforce, you'll
> > need to put Perforce behind a SSH server and put SSH on the desktops. Or
> > use an SSL-VPN or something similar.
> >
> > Perforce, on it's own, isn't up to the job. (To be clear, Perfroce have
> > never claimed otherwise.)
> >
> > Paul.
> >
> > -----Original Message-----
> > From: perforce-user-bounces at perforce.com
> > [mailto:perforce-user-bounces at perforce.com] On Behalf Of markm at emeter.com
> > Sent: 27 February 2007 00:23
> > To: MJanulewicz at greendotcorp.com; perforce-user at perforce.com
> > Subject: Re: [p4] LDAP authentication with encryption
> >
> >
> > Hi Matt,
> >
> > Thanks for the prompt reply. And it is Active Directory that I am using for
> > user authentication, so I apologize for any confusion.
> >
> > Is that perl script that you are using in the Perforce public depot? Or is
> > it something that you would be willing to share? I received a script from
> > Perforce tech support (which I am attaching) that just uses simple
> > authentication for binding to Active Directory. And my IT admin is concerned
> > about sending clear text passwords around the network.
> >
> > Thanks,
> > Mark
> >
> > -----Original Message-----
> > From: Matthew Janulewicz [mailto:MJanulewicz at greendotcorp.com]
> > Sent: Monday, February 26, 2007 4:17 PM
> > To: Mark MacDonald; perforce-user at perforce.com
> > Subject: RE: [p4] LDAP authentication with encryption
> >
> > I'm not hugely knowledgeable about LDAP, but I got authentication to work
> > with Active Directory. We're using a perl script that uses the Net::LDAP
> > library from cpan to connect (attempt a bind.) We originally were not sure
> > if it encrypted the password, so we set a sniffer loose on it and were not
> > able to find any passwords being sent across in plain text. Your mileage may
> > vary.
> >
> > At the very least you should be able to find a library to support ssl
> > (LDAPS) to send encrypted info across the wire to the server. However, you
> > of course will need an LDAP server at the other end that understands the
> > encrypted data once it gets there. The CPAN module seems to handle this
> > pretty easily.
> >
> > Lastly, we did discover that if you have verbose logging turned on for the
> > Perforce server, the particular script and library we use will write
> > passwords in plaintext in the log. Look out for that.
> >
> >
> > -Matt
> >
> > -----Original Message-----
> > From: markm at emeter.com [mailto:markm at emeter.com]
> > Sent: Monday, February 26, 2007 10:14 AM
> > To: perforce-user at perforce.com
> > Subject: [p4] LDAP authentication with encryption
> >
> > Has anyone set up Perforce to use LDAP as an external authentication method,
> > and to also encrypt the authentication communication to the LDAP server?
> > Perforce tech support provided an authentication script that works fine,
> > except for the fact that it only uses simple authentication with the LDAP
> > server. This method sends the passwords in clear text between the Perforce
> > server and the LDAP server. Has anyone written a similar trigger that uses
> > an encrypted binding to the LDAP server?
> >
> >
> >
> > Thanks,
> >
> > Mark
> >
> > _______________________________________________
> > perforce-user mailing list - perforce-user at perforce.com
> > http://maillist.perforce.com/mailman/listinfo/perforce-user
> >
> >
> >
> > _______________________________________________
> > perforce-user mailing list - perforce-user at perforce.com
> > http://maillist.perforce.com/mailman/listinfo/perforce-user
> >
> _______________________________________________
> perforce-user mailing list - perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>
--
---
Jeff Bowles - jab at piccoloeng.com
More information about the perforce-user
mailing list