[p4] LDAP authentication with encryption

Tetlow, Gordon gtetlow at soe.sony.com
Tue Feb 27 16:33:09 PST 2007 

It's not in plaintext, but it is certainly not encrypted. I believe it
is just encoded (at best it uses a static symmetric key).

-gordon 

> -----Original Message-----
> From: perforce-user-bounces at perforce.com 
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Shawn Hladky
> Sent: Tuesday, February 27, 2007 7:36 AM
> To: Paul Goffin
> Cc: markm at emeter.com; MJanulewicz at greendotcorp.com; 
> perforce-user at perforce.com
> Subject: Re: [p4] LDAP authentication with encryption
> 
> That's what I originally thought too, but we ran a p4 client through a
> sniffer and p4 login does NOT send passwords in plain text to the
> server.
> 
> On 2/27/07, Paul Goffin <paul.goffin at dsl.pipex.com> wrote:
> > Your IT admin is right to be concerned.
> >
> > But the Perforce server to AD server connection isn't the 
> real problem -
> > that can be done with a VLAN for acceptable security if necessary.
> >
> > The trouble is the connection to the Perforce server.  
> That's from multiple
> > desktops to the Perforce server and isn't encrypted.  
> That's where the
> > passwords will be sniffed.
> >
> > If you are intending to use your Windows passwords within 
> Perforce, you'll
> > need to put Perforce behind a SSH server and put SSH on the 
> desktops.  Or
> > use an SSL-VPN or something similar.
> >
> > Perforce, on it's own, isn't up to the job.  (To be clear, 
> Perfroce have
> > never claimed otherwise.)
> >
> > Paul.
> >
> > -----Original Message-----
> > From: perforce-user-bounces at perforce.com
> > [mailto:perforce-user-bounces at perforce.com] On Behalf Of 
> markm at emeter.com
> > Sent: 27 February 2007 00:23
> > To: MJanulewicz at greendotcorp.com; perforce-user at perforce.com
> > Subject: Re: [p4] LDAP authentication with encryption
> >
> >
> > Hi Matt,
> >
> > Thanks for the prompt reply. And it is Active Directory 
> that I am using for
> > user authentication, so I apologize for any confusion.
> >
> > Is that perl script that you are using in the Perforce 
> public depot? Or is
> > it something that you would be willing to share? I received 
> a script from
> > Perforce tech support (which I am attaching) that just uses simple
> > authentication for binding to Active Directory. And my IT 
> admin is concerned
> > about sending clear text passwords around the network.
> >
> > Thanks,
> > Mark
> >
> > -----Original Message-----
> > From: Matthew Janulewicz [mailto:MJanulewicz at greendotcorp.com]
> > Sent: Monday, February 26, 2007 4:17 PM
> > To: Mark MacDonald; perforce-user at perforce.com
> > Subject: RE: [p4] LDAP authentication with encryption
> >
> > I'm not hugely knowledgeable about LDAP, but I got 
> authentication to work
> > with Active Directory. We're using a perl script that uses 
> the Net::LDAP
> > library from cpan to connect (attempt a bind.) We 
> originally were not sure
> > if it encrypted the password, so we set a sniffer loose on 
> it and were not
> > able to find any passwords being sent across in plain text. 
> Your mileage may
> > vary.
> >
> > At the very least you should be able to find a library to 
> support ssl
> > (LDAPS) to send encrypted info across the wire to the 
> server. However, you
> > of course will need an LDAP server at the other end that 
> understands the
> > encrypted data once it gets there. The CPAN module seems to 
> handle this
> > pretty easily.
> >
> > Lastly, we did discover that if you have verbose logging 
> turned on for the
> > Perforce server, the particular script and library we use will write
> > passwords in plaintext in the log. Look out for that.
> >
> >
> > -Matt
> >
> > -----Original Message-----
> > From: markm at emeter.com [mailto:markm at emeter.com]
> > Sent: Monday, February 26, 2007 10:14 AM
> > To: perforce-user at perforce.com
> > Subject: [p4] LDAP authentication with encryption
> >
> > Has anyone set up Perforce to use LDAP as an external 
> authentication method,
> > and to also encrypt the authentication communication to the 
> LDAP server?
> > Perforce tech support provided an authentication script 
> that works fine,
> > except for the fact that it only uses simple authentication 
> with the LDAP
> > server. This method sends the passwords in clear text 
> between the Perforce
> > server and the LDAP server. Has anyone written a similar 
> trigger that uses
> > an encrypted binding to the LDAP server?
> >
> >
> >
> > Thanks,
> >
> > Mark
> >
> > _______________________________________________
> > perforce-user mailing list  -  perforce-user at perforce.com
> > http://maillist.perforce.com/mailman/listinfo/perforce-user
> >
> >
> >
> > _______________________________________________
> > perforce-user mailing list  -  perforce-user at perforce.com
> > http://maillist.perforce.com/mailman/listinfo/perforce-user
> >
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>

More information about the perforce-user mailing list