Authentication Triggers: Example Script Details

Info & Tags

Article #:
470
Created:
02/22/06
Modified:
05/27/08
Tags:
authentication, ldap, security

Related Articles

  1. External Authentication Triggers
  2. Setting Up External Authentication Triggers

Links

  1. Authentication Triggers: Compiling the LDAP Examples
    KB
  2. Setting Up External Authentication Triggers
    KB article
  3. p4auth ad
    Pre-compiled auth trigger (Linux)
  4. p4auth ad-no null
    Pre-compiled auth trigger (Linux)
  5. p4auth ad-unix-no null.cpp
    C++ Linux/Unix trigger source
  6. p4auth ad-unix.cpp
    C++ Linux/Unix trigger source
  7. p4auth ad.cpp-windows
    C++ trigger source (Windows)
  8. p4auth ad.exe
    Pre-compiled auth trigger (Windows)
  9. p4authenticate.c
    C/C++ trigger example
  10. p4authenticate.pl
    Perl trigger example

SUMMARY

There are several trigger examples available in KB Article 728, "Setting Up External Authentication Triggers." This article provides additional technical information concerning the example triggers referenced in article 728.

DETAILS

The trigger examples below contain source and pre-compiled binaries for LDAP and Active Directory authentication for both Windows and Unix platforms. TLS encryption is only enabled for the Unix triggers.

Example Set 1:
p4authenticate.pl and p4authenticate.c

Perl and C source code for use with Unix/LDAP. Includes TLS encryption. To run on Unix/Active Directory, remove this line: 
rc = ldap_start_tls_s( ld, NULL, NULL );

Example Set 2:
p4auth_ad.cpp-windows and p4auth_ad.exe

Source and pre-compiled trigger for Windows, LDAP, or Active Directory.

Has Windows-specific header information and no TLS encryption, since that is not supported in Active Directory out of the box. It is otherwise identical to p4authenticate.pl and p4authenticate.c. It is possible to make Active Directory work with TLS, but it requires you to set up a Certificate Authority (CA).

Since there is no TLS encryption, the password can be sent in plain text. Currently the options to avoid this are to use a secure tunneling program from the Perforce server to the authentication server (stunnel, for example), or to change the authentication method the trigger uses to bind with the authentication server.

Change the line: 
#define AUTH_METHOD LDAP_AUTH_SIMPLE
To: 
#define AUTH_METHOD LDAP_AUTH_NEGOTIATE

Example Set 3:
p4auth_ad-unix.cpp and p4auth_ad

Source for Unix systems,  pre-compiled binary for Linux.

There is currently no additional information on these triggers.


Example Set 4:
p4auth_ad-unix-no_null.cpp and p4auth_ad-no_null

Source for Unix systems,  pre-compiled binary for Linux. For use with Active Directory.

As with the Windows active directory triggers, p4auth_ad.cpp-windows and p4auth_ad.exe, TLS encryption is not enabled. Use the instructions for changing the source for p4auth_ad.exe before compiling p4auth_ad-unix-no_null.cpp to change the trigger authentication method.

Unicode support

All of the above triggers support Unicode user names. Passwords should still be provided in ASCII text, since some of our client programs (such as P4Win) enforce this limitation.

Notes

If you want to create an exception for a class of users (for example, automation users or contractors), the preferred solution is to add those users to the authentication server with appropriately restricted rights.