ASSUMPTIONS:
- using Python 2.7.x
- ldap usernames (sAMAccountName) match the Perforce usernames
- Perforce user used by the script has an unlimited ticket
- Perforce server does not use ssl — script will have to be modified to set P4TRUST variable if SSL is required
- examples in this document assume "standard" SDP paths (e.g. triggers installed in /p4/common/bin/triggers, instance directory
is /p4/1, etc.) These are not hard-coded in the script, all paths can be configured using the configuraiton file.
USAGE:
In addition to being an auth-check trigger, this script can be used to:
- create/edit entries in the local password file (-e)
- test authentication (-t)
Rudimentary help is available using the -h option:
$ ./authCheckTrigger.py -h
usage: authCheckTrigger.py [-h] [-u USERNAME] -c CONFIGFILE [-e] [-t] [-v]
auth-check trigger implementation.
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME
the username to authenticate
-c CONFIGFILE, --config CONFIGFILE
the configuration file
-e, --edit edit the local password file
-t, --test run in test mode
-v, --verbose override configuration and set logging level to DEBUG
INSTALLATION:
1. Install bcrypt (from https://code.google.com/p/py-bcrypt)
$ wget https://py-bcrypt.googlecode.com/files/py-bcrypt-0.4.tar.gz
$ tar xzf py-bcrypt-0.4.tar.gz
$ cd py-bcrypt-0.4
$ python setup.py build
$ sudo python setup.py install
Verify that bcrypt is installed correctly by running Python from the command line and trying to import ldap:
$ python
>>> import bcrypt
>>> quit()
You should not see any error when running the import. If you do, then bcrypt is not installed correctly.
2. Install python-ldap
sudo pip install python-ldap
Verify that python-ldap is installed correctly by running Python from the command line and trying to import ldap:
$ python
>>> import ldap
>>> quit()
You should not see any error when running the import. If you do, then python-ldap is not installed correctly.
3. Extract the trigger script distribution. There are two files in there: authCheckTrigger.py and a sample config file auth.cfg
4. Modify the configuration file
the values supplied are examples, you will need to update them for your environment
- the [globals] section defines global variables used by the program the variables are:
[globals]
# absolute path to the Perforce client
p4.path = /usr/local/bin/p4
# P4PORT of the Perforce server
p4.port = localhost:1666
# username used to query the Perforce server (does not need admin access)
p4.user = auth.user
# location of the tickets file (should be an absolute path
p4.tickets = /p4/1/auth.tickets
# absolute path to the local password (AD bypass) file
passwd.file = /p4/1/etc/passwd.txt
# logging level. Should be ERROR, WARN or DEBUG
log.level = DEBUG
# absolute path to the auth log file
log.file = /p4/1/logs/authCheck.log
# default Perforce group if the user has no groups
default.perforce.group = grp1
# timeout for LDAP connections
timeout = 10
# custom failure message
auth.failed.message = Authentication Failed. Access Denied.
- you should add a [server_n] section for each AD server. These sections must be uniquely named.
[server_1]
# Perforce group corresponding to this server
perforce.group = ldap.server1
# LDAP URL for the server.
# this should be in the format ldap://host:port or ldaps://host:port (second used for SSL)
server.url = ldap://ldap1_host:389
# account domain used for authentication
account.domain = @company.com
5. Ensure that the Perforce user is in a group with an unlimited timeout
6. Set the P4TICKETS environment variable to match that used in the config file
7. Login with the Perforce user specified in the config file
- ensure that the ticket does not expire
8. Use the script to create entries in the local password file (if desired):
$ /p4/common/bin/triggers/authCheckTrigger.py -c /path/to/auth.cfg -e
---- EDIT MODE ----
enter username: tad
Enter password (will not appear) >
Type it again (will not appear) >
9. Check the entry in the local password file (test with valid and invalid passwords)
$ /p4/common/bin/triggers/authCheckTrigger.py -c /path/to/auth.cfg -t
---- TEST MODE ----
enter username: tad
Enter password (will not appear) >
Credentials were valid. Access to Perforce would be allowed
$ /p4/common/bin/triggers/authCheckTrigger.py -c /path/to/auth.cfg -t
---- TEST MODE ----
enter username: tad
Enter password (will not appear) >
Invalid credentials. Access to Perforce would be denied.
10. Create the Perforce group(s) that correspond to the perforce.group entries in the configuration file. Add the appropriate user(s) to those groups.
11. Now repeat step 9 but this time use a user who does not have an entry in the local password file (an AD user)
12. Assuming that the testing all works, then you can install the trigger and restart the Perforce server. Make sure you backup the db.trigger table (in case you need to restore the triggers). The auth-check trigger entry should look something like the following. Note, if you do not have service users, you can omit the service-check line.
AUTH auth-check auth “/p4/common/bin/triggers/authCheckTrigger.py -c /p4/1/config/authCheck.cfg -u %user%"
S_AUTH service-check auth “/p4/common/bin/triggers/authCheckTrigger.py -c /p4/1/config/authCheck.cfg -u %user%"
13. After restarting the trigger, verify that you can ‘p4 login’ to the server. Ensure that you test both positive and negative conditions (correct and incorrect passwords) for the combinations:
- local (bypass) users
- users for each configured ldap server
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #2 | 26681 | robert_cowham |
Removing Deprecated folder - if people want it they can look at past history! All functions have been replaced with standard functionality such as built in LDAP, or default change type. Documentation added for the contents of Unsupported folder. Changes to scripts/triggers are usually to insert tags for inclusion in ASCII Doctor docs. |
||
| #1 | 26652 | robert_cowham |
This is Tom's change: Introduced new 'Unsupported' directory to clarify that some files in the SDP are not officially supported. These files are samples for illustration, to provide examples, or are deprecated but not yet ready for removal from the package. The Maintenance and many SDP triggers have been moved under here, along with other SDP scripts and triggers. Added comments to p4_vars indicating that it should not be edited directly. Added reference to an optional site_global_vars file that, if it exists, will be sourced to provide global user settings without needing to edit p4_vars. As an exception to the refactoring, the totalusers.py Maintenance script will be moved to indicate that it is supported. Removed settings to support long-sunset P4Web from supported structure. Structure under new .../Unsupported folder is: Samples/bin Sample scripts. Samples/triggers Sample trigger scripts. Samples/triggers/tests Sample trigger script tests. Samples/broker Sample broker filter scripts. Deprecated/triggers Deprecated triggers. To Do in a subsequent change: Make corresponding doc changes. |
||
| //guest/perforce_software/sdp/dev/Server/Unix/p4/common/bin/triggers/deprecated/authCheck_SETUP.txt | |||||
| #1 | 16784 | tom_tyler |
Routine Merge Down to dev from main using: p4 -s merge -n -b perforce_software-sdp-dev |
||
| //guest/perforce_software/sdp/dev/Server/Unix/p4/common/bin/triggers/authCheck_SETUP.txt | |||||
| #1 | 12245 | tom_tyler | Routine merge down from main. | ||
| //guest/perforce_software/sdp/main/Server/Unix/p4/common/bin/triggers/authCheck_SETUP.txt | |||||
| #1 | 12173 | russell_jackson |
Python ldap/ad authentication script. This uses simple bind, so it is easier to use than the Perl version. |
||