Active Directory & LDAP Authentication Without Triggers

54
# Sven Erik Knop Technical Marketing Manager AD and LDAP Authentication Without Triggers Nick Poole Software Engineer

description

See how to build Active Directory and LDAP authentication into the Perforce Server, streamlining the process of linking your Perforce environment with your enterprise authentication system—no triggers required!

Transcript of Active Directory & LDAP Authentication Without Triggers

Page 1: Active Directory & LDAP Authentication Without Triggers

#

Sven Erik Knop Technical Marketing Manager

AD and LDAP Authentication Without Triggers

Nick PooleSoftware Engineer

Page 2: Active Directory & LDAP Authentication Without Triggers

#

Technical Marketing EngineerPerforce Software

Senior DeveloperPerforce Software

Page 3: Active Directory & LDAP Authentication Without Triggers

#

• User authentication in Perforce – a brief overview

• What is LDAP?

• Integrating LDAP with Perforce

Agenda

Page 4: Active Directory & LDAP Authentication Without Triggers

#

User Authentication in Perforce

Page 5: Active Directory & LDAP Authentication Without Triggers

#

• Users are created automatically when connecting

• security = 0– Passwords are not enforced (but can be set)– Any password is acceptable– Passwords can be stored in clear in the client

• No protection table – everyone has super rights

Freshly Installed Perforce Server

Page 6: Active Directory & LDAP Authentication Without Triggers

#

• Create a protection table• Set dm.user.noautocreate

– 1 : need to run p4 user explicitly– 2 : need to have superuser access

• Set security– 1 : Need strong password (8 mixed chars minimum)– 2 : Enforce strong password– 3 : Need to run p4 login to create ticket

Hardening Access to Perforce

Page 7: Active Directory & LDAP Authentication Without Triggers

#

• Represents a session to Perforce– Typically time-limited (12 hours default)

• Created by p4 login– Stored locally in P4TICKETS file– p4 tickets lists all available tickets

Tickets

Port User Ticket

localhost:20101 p4admin F84DB47C7C7206C1120EB9F5021F83E9

Page 8: Active Directory & LDAP Authentication Without Triggers

#

• Goals– Single password storage and rules– Simplifies monitoring and revoking of access

• Authentication triggers– auth_check to verify a password– auth_set to set a password

External Password Authentication

Page 9: Active Directory & LDAP Authentication Without Triggers

#

External Password Authentication

Auth

p4 loginuser-login

client-PromptEnter Password:

<password> dm-login

auth-check

<accepted>

client-SetPasswordUser logged in.

Page 10: Active Directory & LDAP Authentication Without Triggers

#

LDAP

Page 11: Active Directory & LDAP Authentication Without Triggers

#

• Lightweight Directory Access Protocol– Alternative to DAP for X.500 directory service

• Supported by different directory services, e.g.– Active Directory (AD, Microsoft™)– OpenLDAP

What is LDAP?

bind authenticate user against password

search find entries in the directory

Page 12: Active Directory & LDAP Authentication Without Triggers

#

• A directory is a map { key value }

• A directory service is a database serving that map– Telephone directory– DNS (domain name service)– User account management (password, permissions)

What is a Directory Service?

Page 13: Active Directory & LDAP Authentication Without Triggers

#

Page 14: Active Directory & LDAP Authentication Without Triggers

#

• With username, either– Construct DN– Search to find the unique identifier

• Bind against provided password

Pattern for User Authentication

Field Name Description

dn Distinguished Name Unique identifier

dc Domain Component For example, DC=www,DC=perforce,DC=com

ou Organizational Unit For example, a user group

cn Common Name Person’s name, job title etc.

Page 15: Active Directory & LDAP Authentication Without Triggers

#

• auth_check trigger works well, but ...– Needs to be installed separately– No standard (Python, Perl, C++ implementations)– One more headache for administrators

• Most common request on P4Ideax:– Perforce should provide built-in LDAP integration

• Now available in P4D 2014.2

LDAP Integration

Page 16: Active Directory & LDAP Authentication Without Triggers

#

Implementation

Page 17: Active Directory & LDAP Authentication Without Triggers

#

• The new LDAP integration is an alternative to the auth_check trigger– When enabled, any auth_* triggers are disabled

• Configuration uses:– p4 ldap– p4 ldaps– p4 configure

No More Triggers

Page 18: Active Directory & LDAP Authentication Without Triggers

#

• Configuration provided to the Perforce Server as a spec using the new command:– p4 ldap

• The fundamental parameters:– Hostname– Port number– Encryption method

Defining an LDAP Server Connection

Page 19: Active Directory & LDAP Authentication Without Triggers

#

• The way that the user will be identified in the directory before we can authenticate needs to be configured.

• 3 bind methods supported:– Simple– Search– SASL

Mapping Users to Directory Objects

Page 20: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 1: Simple

Page 21: Active Directory & LDAP Authentication Without Triggers

#

• This method takes a DN with a %user% placeholder– cn=%user%,ou=Users,dc=p4,dc=com

– cn=npoole,ou=Users,dc=p4,dc=com

• Only suitable for the simplest directory layouts.

Page 22: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 2: Search

Page 23: Active Directory & LDAP Authentication Without Triggers

#

• This method takes an LDAP query with a %user% placeholder and expands it.– (&(objectClass=user)(sAMAccountName=%user%))

• A known read-only user is used to perform the search to discover the user’s DN.– Only one result must be returned by the query.

Page 24: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 3: SASL

Page 25: Active Directory & LDAP Authentication Without Triggers

#

• This method doesn’t normally require any configuration.– All that is required is a username and a password.– LDAP server is responsible for finding the user from the

username.

• Active Directory supports this out of the box.– Not all LDAP servers support this.– Uses the DIGEST-MD5 SASL mechanism.

Page 26: Active Directory & LDAP Authentication Without Triggers

#

• Optional feature for restricting Perforce access to only users in the LDAP who use Perforce.

• Ensures that the user belongs to one or more named groups in the LDAP.

• This is defined by a LDAP group search.– (&(objectClass=posixGroup)(cn=development)(memberUid=%user%))

LDAP Group Based Authorization

Page 27: Active Directory & LDAP Authentication Without Triggers

#

• The new p4 ldap and p4 ldaps commands both have -t <username> options.– This allows an LDAP configuration to be tested before it

is enabled.

• Authentication failures are reported with more detailed messages than a user would see running p4 login.

Testing the Configuration

Page 28: Active Directory & LDAP Authentication Without Triggers

#

• Use p4 configure to set the ordered list of

LDAP configurations:– p4 configure set auth.ldap.order.1=MasterAD

• This supports:– Fragmented user directories (directory server per-office).– Replicated user directories (for failover).

Enabling LDAP Authentication

Page 29: Active Directory & LDAP Authentication Without Triggers

#

• Users must be configured to use LDAP.

– Many background (non-human) Perforce users are not stored in LDAP.

– A new AuthMethod field on the user spec switches users between authenticating against the Perforce database and LDAP.

Migrating Users to Use LDAP

Page 30: Active Directory & LDAP Authentication Without Triggers

#

• The default user AuthMethod can be changed to ldap.

• This enables automatic user creation for any user who can authenticate using p4 login.

• This works best with the group based authorization.

Authentication Based User Creation

Page 31: Active Directory & LDAP Authentication Without Triggers

#

DEMO

Page 32: Active Directory & LDAP Authentication Without Triggers

##

Thank you!Sven Erik [email protected]

Nick [email protected]@P4Nick

Page 33: Active Directory & LDAP Authentication Without Triggers

#

Slide-ware Demo Backup

Page 34: Active Directory & LDAP Authentication Without Triggers

#

An example record in OpenLDAP

Page 35: Active Directory & LDAP Authentication Without Triggers

#

Page 36: Active Directory & LDAP Authentication Without Triggers

#

Using Simple Bind with OpenLDAP

Page 37: Active Directory & LDAP Authentication Without Triggers

#

Page 38: Active Directory & LDAP Authentication Without Triggers

#

Using Search Bind with OpenLDAP

Page 39: Active Directory & LDAP Authentication Without Triggers

#

Page 40: Active Directory & LDAP Authentication Without Triggers

#

Using SASL Bind with OpenLDAP

Page 41: Active Directory & LDAP Authentication Without Triggers

#

Page 42: Active Directory & LDAP Authentication Without Triggers

#

An example record in AD

Page 43: Active Directory & LDAP Authentication Without Triggers

#

Page 44: Active Directory & LDAP Authentication Without Triggers

#

Using Search Bind with AD

Page 45: Active Directory & LDAP Authentication Without Triggers

#

Page 46: Active Directory & LDAP Authentication Without Triggers

#

Using SASL Bind with AD

Page 47: Active Directory & LDAP Authentication Without Triggers

#

Page 48: Active Directory & LDAP Authentication Without Triggers

#

Group Authorization with OpenLDAP

Page 49: Active Directory & LDAP Authentication Without Triggers

#

Page 50: Active Directory & LDAP Authentication Without Triggers

#

Group Authorization with AD

Page 51: Active Directory & LDAP Authentication Without Triggers

#

Page 52: Active Directory & LDAP Authentication Without Triggers

#

Fragmented DirectoriesOpenLDAP ActiveDirectory

Page 53: Active Directory & LDAP Authentication Without Triggers

#

OpenLDAP ActiveDirectory

Page 54: Active Directory & LDAP Authentication Without Triggers

#

• Set the configurables– auth.ldap.order.1=openldap-search– auth.ldap.order.2=ad-search

• Run p4 ldaps -t sbaker

Ordered Directory querying

Testing authentication against LDAP configuration openldap-search.User not found by LDAP search "(&(objectClass=inetOrgPerson)(cn=sbaker))" starting at ou=employees,dc=p4,dc=com

Testing authentication against LDAP configuration ad-search.Authentication successful.