function p4adauth {param([string]$depotname,[string]$username,[string]$password,[switch]$flushcache) [boolean]$userInAuthGroup = $false $date = get-date #part 1. Retrieval and storage of ldap cache object. if (!$depotname) #give some sort of helpful { write-error "A depot name is required to generate authentication data." break } else { try { $ldapCacheFileRoot = (gl | %{($_.path + "\p4authcache")}) #path where our statistics file lives. if ((test-path $ldapCacheFileRoot) -eq $false) { try { mkdir $ldapCacheFileRoot > $null } catch { write-error ("Could not create directory to ldap cache data. Error was:`r`n" + $error[0]) break } } $ldapCacheFile = $ldapCacheFileRoot + "\" + $depotname + ".ldapAuthCache.xml" if (test-path $ldapCacheFile) { $cacheAgeMinutes = ($date.Subtract((gci $ldapCacheFile).LastWriteTime)).TotalMinutes } else { write-warning "Creating initial LDAP cache file." $ldapCacheObject = p4get-adauthgroups $depotname #store ldap cache as object. This is a slow operation. $ldapCacheObject | Export-Clixml -force $ldapCacheFile #write object to file. } if ($cacheAgeMinutes -gt 30) #if the cache is 30 minutes out of date, re-cache data. { write-warning "Renewing LDAP Cache object since it is older than 30 minutes. This is a slow operation." $ldapCacheObject = p4get-adauthgroups $depotname #store ldap cache as object. This is a slow operation. $ldapCacheObject | Export-Clixml -force $ldapCacheFile #write object to file. } else { if ($flushcache) { write-warning "Renewing LDAP Cache." $ldapCacheObject = p4get-adauthgroups $depotname #store ldap cache as object. This is a slow operation. $ldapCacheObject | Export-Clixml -force $ldapCacheFile #write object to file. write-warning "LDAP Cache updated." } else { $ldapCacheObject = import-clixml $ldapCacheFile #try and get the file. } } } catch #couldn't load the file, maybe it's corrupt, not readable, or missing, or just a new cache file. { $message = "Could not load ldap cache " + $ldapCacheFile + " due to the following error.`r`n" + $error[0] write-verbose $message #Send-EventMessage -eventMessage $message -eventType "Error" -eventid 38020 -eventlogSource $eventLogSource } if (!$ldapCacheObject)#if no object was loaded from file, create manually. { $ldapCacheObject = p4get-adauthgroups $depotname #store ldap cache as object. This is a slow operation. $ldapCacheObject | Export-Clixml -force $ldapCacheFile #write object to file. } } #part 2. Attempt to locate the user we want to check against. if (!$flushcache) #if the flushcache switch is set, we will not perform any authentication checking. { try { $userObject = get-qaduser -samaccountname $username } catch { write-error ("Could not retrieve user from ldap directory. Error was:`r`n" + $error[0]) break } if ($userObject) { $authGroupMemberships = $ldapCacheObject | ?{$_.members -eq $userObject.dn} if ($authGroupMemberships) { $userInAuthGroup = $true } else { write-error ("User in ldap, but not in depot auth groups.") break } } else { write-error ("Could not locate user " + $username + " in ldap directory.") break } #part 3. Attempt bind with user object. if (!$password) { $password = Read-HostMasked } if ($userInAuthGroup = $true) { try { $bindResults = Connect-QADService -ConnectionAccount $userObject -ConnectionPassword (ConvertTo-SecureString $password -AsPlainText -Force) } catch { write-error "Incorrect password. LDAP bind failed." break } } else { write-error "Something went very wrong with the authentication function. Trapping and exiting with error." break } if ($bindResults) { $results = new-object pscustomobject add-member -inputobject $results -membertype NoteProperty -name userObject -value $userObject add-member -inputobject $results -membertype NoteProperty -name userInAuthGroup -value $userInAuthGroup add-member -inputobject $results -membertype NoteProperty -name bindResults -value $bindresults add-member -inputobject $results -membertype NoteProperty -name depot -value $depotname add-member -inputobject $results -membertype NoteProperty -name authGroupMatch -value ($authGroupMemberships | %{$_.name}) $results } } } Function p4get-adauthgroups {param([Parameter(Mandatory=$true)][string]$server) $adgroup = @() $authgroup = "p4" + $server $adgroup += get-qadgroupmember -indirect $authgroup | ?{$_.type -eq "group"} $adgroup += get-qadgroup $authgroup $adgroup | sort-object -unique } function Read-HostMasked([string]$prompt="Password") { $password = Read-Host -AsSecureString $prompt; $BSTR = [System.Runtime.InteropServices.marshal]::SecureStringToBSTR($password); $password = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($BSTR); [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR); return $password; }