active directory & ldap authentication without triggers
DESCRIPTION
See how to build Active Directory and LDAP authentication into the Perforce Server, streamlining the process of linking your Perforce environment with your enterprise authentication system—no triggers required!TRANSCRIPT
![Page 1: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/1.jpg)
#
Sven Erik Knop Technical Marketing Manager
AD and LDAP Authentication Without Triggers
Nick PooleSoftware Engineer
![Page 2: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/2.jpg)
#
Technical Marketing EngineerPerforce Software
Senior DeveloperPerforce Software
![Page 3: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/3.jpg)
#
• User authentication in Perforce – a brief overview
• What is LDAP?
• Integrating LDAP with Perforce
Agenda
![Page 4: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/4.jpg)
#
User Authentication in Perforce
![Page 5: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/5.jpg)
#
• Users are created automatically when connecting
• security = 0– Passwords are not enforced (but can be set)– Any password is acceptable– Passwords can be stored in clear in the client
• No protection table – everyone has super rights
Freshly Installed Perforce Server
![Page 6: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/6.jpg)
#
• Create a protection table• Set dm.user.noautocreate
– 1 : need to run p4 user explicitly– 2 : need to have superuser access
• Set security– 1 : Need strong password (8 mixed chars minimum)– 2 : Enforce strong password– 3 : Need to run p4 login to create ticket
Hardening Access to Perforce
![Page 7: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/7.jpg)
#
• Represents a session to Perforce– Typically time-limited (12 hours default)
• Created by p4 login– Stored locally in P4TICKETS file– p4 tickets lists all available tickets
Tickets
Port User Ticket
localhost:20101 p4admin F84DB47C7C7206C1120EB9F5021F83E9
![Page 8: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/8.jpg)
#
• Goals– Single password storage and rules– Simplifies monitoring and revoking of access
• Authentication triggers– auth_check to verify a password– auth_set to set a password
External Password Authentication
![Page 9: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/9.jpg)
#
External Password Authentication
Auth
p4 loginuser-login
client-PromptEnter Password:
<password> dm-login
auth-check
<accepted>
client-SetPasswordUser logged in.
![Page 10: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/10.jpg)
#
LDAP
![Page 11: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/11.jpg)
#
• Lightweight Directory Access Protocol– Alternative to DAP for X.500 directory service
• Supported by different directory services, e.g.– Active Directory (AD, Microsoft™)– OpenLDAP
What is LDAP?
bind authenticate user against password
search find entries in the directory
![Page 12: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/12.jpg)
#
• A directory is a map { key value }
• A directory service is a database serving that map– Telephone directory– DNS (domain name service)– User account management (password, permissions)
What is a Directory Service?
![Page 13: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/13.jpg)
#
![Page 14: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/14.jpg)
#
• With username, either– Construct DN– Search to find the unique identifier
• Bind against provided password
Pattern for User Authentication
Field Name Description
dn Distinguished Name Unique identifier
dc Domain Component For example, DC=www,DC=perforce,DC=com
ou Organizational Unit For example, a user group
cn Common Name Person’s name, job title etc.
![Page 15: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/15.jpg)
#
• auth_check trigger works well, but ...– Needs to be installed separately– No standard (Python, Perl, C++ implementations)– One more headache for administrators
• Most common request on P4Ideax:– Perforce should provide built-in LDAP integration
• Now available in P4D 2014.2
LDAP Integration
![Page 16: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/16.jpg)
#
Implementation
![Page 17: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/17.jpg)
#
• The new LDAP integration is an alternative to the auth_check trigger– When enabled, any auth_* triggers are disabled
• Configuration uses:– p4 ldap– p4 ldaps– p4 configure
No More Triggers
![Page 18: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/18.jpg)
#
• Configuration provided to the Perforce Server as a spec using the new command:– p4 ldap
• The fundamental parameters:– Hostname– Port number– Encryption method
Defining an LDAP Server Connection
![Page 19: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/19.jpg)
#
• The way that the user will be identified in the directory before we can authenticate needs to be configured.
• 3 bind methods supported:– Simple– Search– SASL
Mapping Users to Directory Objects
![Page 20: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/20.jpg)
#
Bind Method 1: Simple
![Page 21: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/21.jpg)
#
• This method takes a DN with a %user% placeholder– cn=%user%,ou=Users,dc=p4,dc=com
– cn=npoole,ou=Users,dc=p4,dc=com
• Only suitable for the simplest directory layouts.
![Page 22: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/22.jpg)
#
Bind Method 2: Search
![Page 23: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/23.jpg)
#
• This method takes an LDAP query with a %user% placeholder and expands it.– (&(objectClass=user)(sAMAccountName=%user%))
• A known read-only user is used to perform the search to discover the user’s DN.– Only one result must be returned by the query.
![Page 24: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/24.jpg)
#
Bind Method 3: SASL
![Page 25: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/25.jpg)
#
• This method doesn’t normally require any configuration.– All that is required is a username and a password.– LDAP server is responsible for finding the user from the
username.
• Active Directory supports this out of the box.– Not all LDAP servers support this.– Uses the DIGEST-MD5 SASL mechanism.
![Page 26: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/26.jpg)
#
• Optional feature for restricting Perforce access to only users in the LDAP who use Perforce.
• Ensures that the user belongs to one or more named groups in the LDAP.
• This is defined by a LDAP group search.– (&(objectClass=posixGroup)(cn=development)(memberUid=%user%))
LDAP Group Based Authorization
![Page 27: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/27.jpg)
#
• The new p4 ldap and p4 ldaps commands both have -t <username> options.– This allows an LDAP configuration to be tested before it
is enabled.
• Authentication failures are reported with more detailed messages than a user would see running p4 login.
Testing the Configuration
![Page 28: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/28.jpg)
#
• Use p4 configure to set the ordered list of
LDAP configurations:– p4 configure set auth.ldap.order.1=MasterAD
• This supports:– Fragmented user directories (directory server per-office).– Replicated user directories (for failover).
Enabling LDAP Authentication
![Page 29: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/29.jpg)
#
• Users must be configured to use LDAP.
– Many background (non-human) Perforce users are not stored in LDAP.
– A new AuthMethod field on the user spec switches users between authenticating against the Perforce database and LDAP.
Migrating Users to Use LDAP
![Page 30: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/30.jpg)
#
• The default user AuthMethod can be changed to ldap.
• This enables automatic user creation for any user who can authenticate using p4 login.
• This works best with the group based authorization.
Authentication Based User Creation
![Page 31: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/31.jpg)
#
DEMO
![Page 33: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/33.jpg)
#
Slide-ware Demo Backup
![Page 34: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/34.jpg)
#
An example record in OpenLDAP
![Page 35: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/35.jpg)
#
![Page 36: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/36.jpg)
#
Using Simple Bind with OpenLDAP
![Page 37: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/37.jpg)
#
![Page 38: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/38.jpg)
#
Using Search Bind with OpenLDAP
![Page 39: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/39.jpg)
#
![Page 40: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/40.jpg)
#
Using SASL Bind with OpenLDAP
![Page 41: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/41.jpg)
#
![Page 42: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/42.jpg)
#
An example record in AD
![Page 43: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/43.jpg)
#
![Page 44: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/44.jpg)
#
Using Search Bind with AD
![Page 45: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/45.jpg)
#
![Page 46: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/46.jpg)
#
Using SASL Bind with AD
![Page 47: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/47.jpg)
#
![Page 48: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/48.jpg)
#
Group Authorization with OpenLDAP
![Page 49: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/49.jpg)
#
![Page 50: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/50.jpg)
#
Group Authorization with AD
![Page 51: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/51.jpg)
#
![Page 52: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/52.jpg)
#
Fragmented DirectoriesOpenLDAP ActiveDirectory
![Page 53: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/53.jpg)
#
OpenLDAP ActiveDirectory
![Page 54: Active Directory & LDAP Authentication Without Triggers](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5469b9b5af7959ff128b45e5/html5/thumbnails/54.jpg)
#
• Set the configurables– auth.ldap.order.1=openldap-search– auth.ldap.order.2=ad-search
• Run p4 ldaps -t sbaker
Ordered Directory querying
Testing authentication against LDAP configuration openldap-search.User not found by LDAP search "(&(objectClass=inetOrgPerson)(cn=sbaker))" starting at ou=employees,dc=p4,dc=com
Testing authentication against LDAP configuration ad-search.Authentication successful.