#!/usr/bin/perl -w #============================================================================== # Copyright and license info is available in the LICENSE file included with # the Server Deployment Package (SDP), and also available online: # https://swarm.workshop.perforce.com/projects/perforce-software-sdp/view/main/LICENSE #------------------------------------------------------------------------------ # # Overview: This trigger script authenticates a Perforce userid against # against an LDAP/Active Directory account. It will handle multiple domains. # # Optionally, if $local_passwd_file is defined (details below), this script # will authenticate users from a local password file versioned in Perforce. # This can be used to allow a class of users that exist in Perforce but # not in the LDAP/Active Directory domain. # # sample trigger usage: # ad auth-check auth "/p4/common/bin/triggers/AD_ssl_auth.pl %user%" # use strict; use Net::LDAPS; $|=1; #------------------------------------------------------------------------------ # Define Variables # AD connect timeout my $timeout = 10; # Set AD server info. my $ad_port = "636"; # AD Port, should probably leave. my $ad_host = "AD.IP"; # Put hostname or IP address of your AD server here. # AD read Account. # Full DN including user. my $ad_read_dn = 'CN=user,CN=Users,DC=test,DC=domain,DC=com'; my $ad_read_p = 'Password'; my $ad; my @entries; my $local_passwd_file; my $mesg; my $password; my $password_on_file; my $p4_user; my $ret; my $root_dn; my @users; my $tc; #------------------------------------------------------------------------------ # Get Passsword from User open(STDERR, ">&STDOUT") or die "Can't dup stdout"; if (scalar(@ARGV != 1)) { die "\nUsage:\nAD_auth.pl \%username\%\n" } $p4_user = shift; chomp $p4_user; $password = <STDIN>; $password =~ s/\r\n//g; chomp $password; if ($password =~ /^$/) { die "Null passwords not allowed" } #------------------------------------------------------------------------------ # Authenticate from a local password file. # To enable local password file verification for selected accounts, # create a password file in Perforce, and set $local_password_file to # the Perforce depot path of that file. The file should be tightly # locked down in the protections table, and ideally placed in a secure # depot. Changelists that affect that file should be set as 'restricted' # (for 2010.2+ servers). # # The password file is expected to contain one-line entries containing # simply a user and then the password, delimited by a space, e.g: # # Autobuild MyP@ssw0rd # # Lines starting with '#' or containing only whitepsace are ignored. # # If enabled, users listed in this file with authenticate from this file. # Others will authenticagte from AD/LDAP. # ### Comment next line to disable local password file authentication! $local_passwd_file = "/p4/common/bin/triggers/localpasswd.txt"; # If $local_passwd_file is defined, first search for the user in that file. # If the user is found, authenticate using that password. Otherwise, simply # fall through to AD/LDAP authentication. if ($local_passwd_file) { foreach (`cat $local_passwd_file 2>&1`) { if (/$p4_user /) { $password_on_file = $_; $password_on_file =~ s/$p4_user //; chomp $password_on_file; exit 0 if ($password eq $password_on_file); # If the password matched, the line above exited. Otherwise ... print "Local Password File Authentication Failed. Access Denied.\n"; exit 1; last; } } } #------------------------------------------------------------------------------ # Authenticate against Active Directory/LDAP. $ad = Net::LDAPS->new($ad_host, port => $ad_port, timeout => $timeout ) || die "Unable to connect with read account"; $mesg = $ad->bind ("$ad_read_dn", password => $ad_read_p, version => 3 ) || die "Unable to bind\n"; $mesg = $ad->search( base => '', filter => "(objectclass=*)", scope => 'base' ); $ret = 1; $tc = Net::LDAPS->new($ad_host, port => $ad_port, timeout => $timeout ) || die "Unable to connect with read account"; @entries = ($mesg->entries); foreach my $entry (@entries) { $root_dn = $entry->get_value('rootDomainNamingContext'); $mesg = $ad->search ( base => $root_dn, filter => "(samaccountname=$p4_user)", scope => 'sub', attrs => ['mail'] ) || next; @users = ($mesg->entries); next if (! defined $users[0]); $mesg = $tc->bind(dn => $users[0]->dn(), password => $password) || next; if (! $mesg->code) { $ret = 0; last } } if ($ret) { print "Authentication Failed. Access Denied.\n" } exit $ret;
# | Change | User | Description | Committed | |
---|---|---|---|---|---|
#2 | 26652 | Robert Cowham |
This is Tom's change: Introduced new 'Unsupported' directory to clarify that some files in the SDP are not officially supported. These files are samples for illustration, to provide examples, or are deprecated but not yet ready for removal from the package. The Maintenance and many SDP triggers have been moved under here, along with other SDP scripts and triggers. Added comments to p4_vars indicating that it should not be edited directly. Added reference to an optional site_global_vars file that, if it exists, will be sourced to provide global user settings without needing to edit p4_vars. As an exception to the refactoring, the totalusers.py Maintenance script will be moved to indicate that it is supported. Removed settings to support long-sunset P4Web from supported structure. Structure under new .../Unsupported folder is: Samples/bin Sample scripts. Samples/triggers Sample trigger scripts. Samples/triggers/tests Sample trigger script tests. Samples/broker Sample broker filter scripts. Deprecated/triggers Deprecated triggers. To Do in a subsequent change: Make corresponding doc changes. |
||
#1 | 16784 | C. Thomas Tyler |
Routine Merge Down to dev from main using: p4 -s merge -n -b perforce_software-sdp-dev |
||
//guest/perforce_software/sdp/dev/Server/Unix/p4/common/bin/triggers/AD_ssl_auth.pl | |||||
#3 | 16029 | C. Thomas Tyler |
Routine merge to dev from main using: p4 merge -b perforce_software-sdp-dev |
||
#2 | 12107 | C. Thomas Tyler |
Routine merge down from 'main' to 'dev', resolved with 'p4 resolve -as'. |
||
#1 | 10638 | C. Thomas Tyler | Populate perforce_software-sdp-dev. | ||
//guest/perforce_software/sdp/main/Server/Unix/p4/common/bin/triggers/AD_ssl_auth.pl | |||||
#1 | 10148 | C. Thomas Tyler | Promoted the Perforce Server Deployment Package to The Workshop. |