Upload
perforce
View
1.595
Download
1
Tags:
Embed Size (px)
DESCRIPTION
See how to build Active Directory and LDAP authentication into the Perforce Server, streamlining the process of linking your Perforce environment with your enterprise authentication system—no triggers required!
Citation preview
#
Sven Erik Knop Technical Marketing Manager
AD and LDAP Authentication Without Triggers
Nick PooleSoftware Engineer
#
Technical Marketing EngineerPerforce Software
Senior DeveloperPerforce Software
#
• User authentication in Perforce – a brief overview
• What is LDAP?
• Integrating LDAP with Perforce
Agenda
#
User Authentication in Perforce
#
• Users are created automatically when connecting
• security = 0– Passwords are not enforced (but can be set)– Any password is acceptable– Passwords can be stored in clear in the client
• No protection table – everyone has super rights
Freshly Installed Perforce Server
#
• Create a protection table• Set dm.user.noautocreate
– 1 : need to run p4 user explicitly– 2 : need to have superuser access
• Set security– 1 : Need strong password (8 mixed chars minimum)– 2 : Enforce strong password– 3 : Need to run p4 login to create ticket
Hardening Access to Perforce
#
• Represents a session to Perforce– Typically time-limited (12 hours default)
• Created by p4 login– Stored locally in P4TICKETS file– p4 tickets lists all available tickets
Tickets
Port User Ticket
localhost:20101 p4admin F84DB47C7C7206C1120EB9F5021F83E9
#
• Goals– Single password storage and rules– Simplifies monitoring and revoking of access
• Authentication triggers– auth_check to verify a password– auth_set to set a password
External Password Authentication
#
External Password Authentication
Auth
p4 loginuser-login
client-PromptEnter Password:
<password> dm-login
auth-check
<accepted>
client-SetPasswordUser logged in.
#
LDAP
#
• Lightweight Directory Access Protocol– Alternative to DAP for X.500 directory service
• Supported by different directory services, e.g.– Active Directory (AD, Microsoft™)– OpenLDAP
What is LDAP?
bind authenticate user against password
search find entries in the directory
#
• A directory is a map { key value }
• A directory service is a database serving that map– Telephone directory– DNS (domain name service)– User account management (password, permissions)
What is a Directory Service?
#
#
• With username, either– Construct DN– Search to find the unique identifier
• Bind against provided password
Pattern for User Authentication
Field Name Description
dn Distinguished Name Unique identifier
dc Domain Component For example, DC=www,DC=perforce,DC=com
ou Organizational Unit For example, a user group
cn Common Name Person’s name, job title etc.
#
• auth_check trigger works well, but ...– Needs to be installed separately– No standard (Python, Perl, C++ implementations)– One more headache for administrators
• Most common request on P4Ideax:– Perforce should provide built-in LDAP integration
• Now available in P4D 2014.2
LDAP Integration
#
Implementation
#
• The new LDAP integration is an alternative to the auth_check trigger– When enabled, any auth_* triggers are disabled
• Configuration uses:– p4 ldap– p4 ldaps– p4 configure
No More Triggers
#
• Configuration provided to the Perforce Server as a spec using the new command:– p4 ldap
• The fundamental parameters:– Hostname– Port number– Encryption method
Defining an LDAP Server Connection
#
• The way that the user will be identified in the directory before we can authenticate needs to be configured.
• 3 bind methods supported:– Simple– Search– SASL
Mapping Users to Directory Objects
#
Bind Method 1: Simple
#
• This method takes a DN with a %user% placeholder– cn=%user%,ou=Users,dc=p4,dc=com
– cn=npoole,ou=Users,dc=p4,dc=com
• Only suitable for the simplest directory layouts.
#
Bind Method 2: Search
#
• This method takes an LDAP query with a %user% placeholder and expands it.– (&(objectClass=user)(sAMAccountName=%user%))
• A known read-only user is used to perform the search to discover the user’s DN.– Only one result must be returned by the query.
#
Bind Method 3: SASL
#
• This method doesn’t normally require any configuration.– All that is required is a username and a password.– LDAP server is responsible for finding the user from the
username.
• Active Directory supports this out of the box.– Not all LDAP servers support this.– Uses the DIGEST-MD5 SASL mechanism.
#
• Optional feature for restricting Perforce access to only users in the LDAP who use Perforce.
• Ensures that the user belongs to one or more named groups in the LDAP.
• This is defined by a LDAP group search.– (&(objectClass=posixGroup)(cn=development)(memberUid=%user%))
LDAP Group Based Authorization
#
• The new p4 ldap and p4 ldaps commands both have -t <username> options.– This allows an LDAP configuration to be tested before it
is enabled.
• Authentication failures are reported with more detailed messages than a user would see running p4 login.
Testing the Configuration
#
• Use p4 configure to set the ordered list of
LDAP configurations:– p4 configure set auth.ldap.order.1=MasterAD
• This supports:– Fragmented user directories (directory server per-office).– Replicated user directories (for failover).
Enabling LDAP Authentication
#
• Users must be configured to use LDAP.
– Many background (non-human) Perforce users are not stored in LDAP.
– A new AuthMethod field on the user spec switches users between authenticating against the Perforce database and LDAP.
Migrating Users to Use LDAP
#
• The default user AuthMethod can be changed to ldap.
• This enables automatic user creation for any user who can authenticate using p4 login.
• This works best with the group based authorization.
Authentication Based User Creation
#
DEMO
#
Slide-ware Demo Backup
#
An example record in OpenLDAP
#
#
Using Simple Bind with OpenLDAP
#
#
Using Search Bind with OpenLDAP
#
#
Using SASL Bind with OpenLDAP
#
#
An example record in AD
#
#
Using Search Bind with AD
#
#
Using SASL Bind with AD
#
#
Group Authorization with OpenLDAP
#
#
Group Authorization with AD
#
#
Fragmented DirectoriesOpenLDAP ActiveDirectory
#
OpenLDAP ActiveDirectory
#
• Set the configurables– auth.ldap.order.1=openldap-search– auth.ldap.order.2=ad-search
• Run p4 ldaps -t sbaker
Ordered Directory querying
Testing authentication against LDAP configuration openldap-search.User not found by LDAP search "(&(objectClass=inetOrgPerson)(cn=sbaker))" starting at ou=employees,dc=p4,dc=com
Testing authentication against LDAP configuration ad-search.Authentication successful.