Download - Active Directory & LDAP Authentication Without Triggers

Transcript
Page 1: Active Directory & LDAP Authentication Without Triggers

#

Sven Erik Knop Technical Marketing Manager

AD and LDAP Authentication Without Triggers

Nick PooleSoftware Engineer

Page 2: Active Directory & LDAP Authentication Without Triggers

#

Technical Marketing EngineerPerforce Software

Senior DeveloperPerforce Software

Page 3: Active Directory & LDAP Authentication Without Triggers

#

• User authentication in Perforce – a brief overview

• What is LDAP?

• Integrating LDAP with Perforce

Agenda

Page 4: Active Directory & LDAP Authentication Without Triggers

#

User Authentication in Perforce

Page 5: Active Directory & LDAP Authentication Without Triggers

#

• Users are created automatically when connecting

• security = 0– Passwords are not enforced (but can be set)– Any password is acceptable– Passwords can be stored in clear in the client

• No protection table – everyone has super rights

Freshly Installed Perforce Server

Page 6: Active Directory & LDAP Authentication Without Triggers

#

• Create a protection table• Set dm.user.noautocreate

– 1 : need to run p4 user explicitly– 2 : need to have superuser access

• Set security– 1 : Need strong password (8 mixed chars minimum)– 2 : Enforce strong password– 3 : Need to run p4 login to create ticket

Hardening Access to Perforce

Page 7: Active Directory & LDAP Authentication Without Triggers

#

• Represents a session to Perforce– Typically time-limited (12 hours default)

• Created by p4 login– Stored locally in P4TICKETS file– p4 tickets lists all available tickets

Tickets

Port User Ticket

localhost:20101 p4admin F84DB47C7C7206C1120EB9F5021F83E9

Page 8: Active Directory & LDAP Authentication Without Triggers

#

• Goals– Single password storage and rules– Simplifies monitoring and revoking of access

• Authentication triggers– auth_check to verify a password– auth_set to set a password

External Password Authentication

Page 9: Active Directory & LDAP Authentication Without Triggers

#

External Password Authentication

Auth

p4 loginuser-login

client-PromptEnter Password:

<password> dm-login

auth-check

<accepted>

client-SetPasswordUser logged in.

Page 10: Active Directory & LDAP Authentication Without Triggers

#

LDAP

Page 11: Active Directory & LDAP Authentication Without Triggers

#

• Lightweight Directory Access Protocol– Alternative to DAP for X.500 directory service

• Supported by different directory services, e.g.– Active Directory (AD, Microsoft™)– OpenLDAP

What is LDAP?

bind authenticate user against password

search find entries in the directory

Page 12: Active Directory & LDAP Authentication Without Triggers

#

• A directory is a map { key value }

• A directory service is a database serving that map– Telephone directory– DNS (domain name service)– User account management (password, permissions)

What is a Directory Service?

Page 13: Active Directory & LDAP Authentication Without Triggers

#

Page 14: Active Directory & LDAP Authentication Without Triggers

#

• With username, either– Construct DN– Search to find the unique identifier

• Bind against provided password

Pattern for User Authentication

Field Name Description

dn Distinguished Name Unique identifier

dc Domain Component For example, DC=www,DC=perforce,DC=com

ou Organizational Unit For example, a user group

cn Common Name Person’s name, job title etc.

Page 15: Active Directory & LDAP Authentication Without Triggers

#

• auth_check trigger works well, but ...– Needs to be installed separately– No standard (Python, Perl, C++ implementations)– One more headache for administrators

• Most common request on P4Ideax:– Perforce should provide built-in LDAP integration

• Now available in P4D 2014.2

LDAP Integration

Page 16: Active Directory & LDAP Authentication Without Triggers

#

Implementation

Page 17: Active Directory & LDAP Authentication Without Triggers

#

• The new LDAP integration is an alternative to the auth_check trigger– When enabled, any auth_* triggers are disabled

• Configuration uses:– p4 ldap– p4 ldaps– p4 configure

No More Triggers

Page 18: Active Directory & LDAP Authentication Without Triggers

#

• Configuration provided to the Perforce Server as a spec using the new command:– p4 ldap

• The fundamental parameters:– Hostname– Port number– Encryption method

Defining an LDAP Server Connection

Page 19: Active Directory & LDAP Authentication Without Triggers

#

• The way that the user will be identified in the directory before we can authenticate needs to be configured.

• 3 bind methods supported:– Simple– Search– SASL

Mapping Users to Directory Objects

Page 20: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 1: Simple

Page 21: Active Directory & LDAP Authentication Without Triggers

#

• This method takes a DN with a %user% placeholder– cn=%user%,ou=Users,dc=p4,dc=com

– cn=npoole,ou=Users,dc=p4,dc=com

• Only suitable for the simplest directory layouts.

Page 22: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 2: Search

Page 23: Active Directory & LDAP Authentication Without Triggers

#

• This method takes an LDAP query with a %user% placeholder and expands it.– (&(objectClass=user)(sAMAccountName=%user%))

• A known read-only user is used to perform the search to discover the user’s DN.– Only one result must be returned by the query.

Page 24: Active Directory & LDAP Authentication Without Triggers

#

Bind Method 3: SASL

Page 25: Active Directory & LDAP Authentication Without Triggers

#

• This method doesn’t normally require any configuration.– All that is required is a username and a password.– LDAP server is responsible for finding the user from the

username.

• Active Directory supports this out of the box.– Not all LDAP servers support this.– Uses the DIGEST-MD5 SASL mechanism.

Page 26: Active Directory & LDAP Authentication Without Triggers

#

• Optional feature for restricting Perforce access to only users in the LDAP who use Perforce.

• Ensures that the user belongs to one or more named groups in the LDAP.

• This is defined by a LDAP group search.– (&(objectClass=posixGroup)(cn=development)(memberUid=%user%))

LDAP Group Based Authorization

Page 27: Active Directory & LDAP Authentication Without Triggers

#

• The new p4 ldap and p4 ldaps commands both have -t <username> options.– This allows an LDAP configuration to be tested before it

is enabled.

• Authentication failures are reported with more detailed messages than a user would see running p4 login.

Testing the Configuration

Page 28: Active Directory & LDAP Authentication Without Triggers

#

• Use p4 configure to set the ordered list of

LDAP configurations:– p4 configure set auth.ldap.order.1=MasterAD

• This supports:– Fragmented user directories (directory server per-office).– Replicated user directories (for failover).

Enabling LDAP Authentication

Page 29: Active Directory & LDAP Authentication Without Triggers

#

• Users must be configured to use LDAP.

– Many background (non-human) Perforce users are not stored in LDAP.

– A new AuthMethod field on the user spec switches users between authenticating against the Perforce database and LDAP.

Migrating Users to Use LDAP

Page 30: Active Directory & LDAP Authentication Without Triggers

#

• The default user AuthMethod can be changed to ldap.

• This enables automatic user creation for any user who can authenticate using p4 login.

• This works best with the group based authorization.

Authentication Based User Creation

Page 31: Active Directory & LDAP Authentication Without Triggers

#

DEMO

Page 32: Active Directory & LDAP Authentication Without Triggers

##

Thank you!Sven Erik [email protected]

Nick [email protected]@P4Nick

Page 33: Active Directory & LDAP Authentication Without Triggers

#

Slide-ware Demo Backup

Page 34: Active Directory & LDAP Authentication Without Triggers

#

An example record in OpenLDAP

Page 35: Active Directory & LDAP Authentication Without Triggers

#

Page 36: Active Directory & LDAP Authentication Without Triggers

#

Using Simple Bind with OpenLDAP

Page 37: Active Directory & LDAP Authentication Without Triggers

#

Page 38: Active Directory & LDAP Authentication Without Triggers

#

Using Search Bind with OpenLDAP

Page 39: Active Directory & LDAP Authentication Without Triggers

#

Page 40: Active Directory & LDAP Authentication Without Triggers

#

Using SASL Bind with OpenLDAP

Page 41: Active Directory & LDAP Authentication Without Triggers

#

Page 42: Active Directory & LDAP Authentication Without Triggers

#

An example record in AD

Page 43: Active Directory & LDAP Authentication Without Triggers

#

Page 44: Active Directory & LDAP Authentication Without Triggers

#

Using Search Bind with AD

Page 45: Active Directory & LDAP Authentication Without Triggers

#

Page 46: Active Directory & LDAP Authentication Without Triggers

#

Using SASL Bind with AD

Page 47: Active Directory & LDAP Authentication Without Triggers

#

Page 48: Active Directory & LDAP Authentication Without Triggers

#

Group Authorization with OpenLDAP

Page 49: Active Directory & LDAP Authentication Without Triggers

#

Page 50: Active Directory & LDAP Authentication Without Triggers

#

Group Authorization with AD

Page 51: Active Directory & LDAP Authentication Without Triggers

#

Page 52: Active Directory & LDAP Authentication Without Triggers

#

Fragmented DirectoriesOpenLDAP ActiveDirectory

Page 53: Active Directory & LDAP Authentication Without Triggers

#

OpenLDAP ActiveDirectory

Page 54: Active Directory & LDAP Authentication Without Triggers

#

• Set the configurables– auth.ldap.order.1=openldap-search– auth.ldap.order.2=ad-search

• Run p4 ldaps -t sbaker

Ordered Directory querying

Testing authentication against LDAP configuration openldap-search.User not found by LDAP search "(&(objectClass=inetOrgPerson)(cn=sbaker))" starting at ou=employees,dc=p4,dc=com

Testing authentication against LDAP configuration ad-search.Authentication successful.