Jump to content


Problems getting LDAP Active Directory Authentication working

ldap linux active directory triggers authentication

  • Please log in to reply
5 replies to this topic

#1 Randomsense

Randomsense

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 May 2013 - 09:15 PM

I'm new to Perforce and still new overall with Linux. I'm in the process of building a Perforce server running on Ubuntu 12.04 LTS Server. I've got Perforce installed and working but I'm having problems getting Active Directory Authentication working. I'm currently using the Perl script with the trigger. After getting this working my next step is enabling SSL.

When I enable the trigger and I try to login I'm getting  the following:
01e9a4c0 13:30:50.485 [0x2a20600][32051c2f] Password invalid.'ldap' validation failed: LDAP bind failure!
01e9a4c0 13:30:50.485 [0x2a20400][30241c15] Perforce password (P4PASSWD) invalid or unset.

Here is my basic authentication setup...


Followed: Setting Up External Authentication Triggers
Perl Script Used: http://public.perfor...ticate.pl?ac=64
Trigger: ldap auth-check auth "/usr/local/bin/p4authenticate.pl 10.x.x.x 389 %user% uid=%user%,cn=users,cn=ka,dc=example,dc=com"
(Removed AD server IP and changed dc in trigger above)

Followed Authentication Triggers: Compiling the Examples

$ perl checkmod.pl
Archive::Tar -- 1.90
Archive::Zip -- 1.30
Authen::SASL -- 2.16
CPAN -- 2.00
Compress::Raw::Bzip2 -- 2.060
Compress::Raw::Zlib -- 2.060
Cwd -- 3.40
Data::Dumper -- 2.145
Digest::HMAC -- 1.03
Digest::SHA -- 5.84
ExtUtils::CBuilder -- 0.280205
ExtUtils::MakeMaker -- 6.66
File::HomeDir -- 1.00
File::Temp -- 0.2301
File::Which -- 1.09
IO::Compress -- ???
IPC::Run3 -- 0.045
Module::Build -- 0.4005
Net::LDAP -- 0.55
Parse::CPAN::Meta -- 1.4404
Perl -- 5.14.2
Probe::Perl -- 0.02
Term::ReadKey -- 2.30
Term::ReadLine -- 1.07
Test::Harness -- 3.27
Test::Script -- 1.07
Text::Glob -- 0.09
YAML -- 0.84


Any thoughts on where I've gone wrong? Any help is appreciated!

#2 P4Matt

P4Matt

    Advanced Member

  • Members
  • PipPipPip
  • 1383 posts

Posted 07 May 2013 - 05:43 PM

I'll be honest; I haven't the foggiest.  Have you tried running the script by hand? It would be good to take Perforce out of the picture. I read over the script and the Net::LDAP docs and everything looks copacetic. Are there unicode characters in the user name or password that could be causing it grief?

#3 Randomsense

Randomsense

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 07 May 2013 - 05:52 PM

Thanks for the feedback. I'm in the process of working with Perforce support as well. It looks like it issue is related to what CN I'm pointing to. In the few LDAP configurations I've dealt with before you could specify a container and it would look at it and everything under it (including subfolders). It doesn't seem to be the case here and I have to specify the exact CN that holds the account(s).

Since our users are scattered in a few different CN's I now need to figure out how to specify more than one path or (the better option) specify an AD group that I'll add our Perforce users to (probably called PerforceUsers).

#4 mjanulewicz

mjanulewicz

    Advanced Member

  • Members
  • PipPipPip
  • 311 posts
  • LocationSan Francisco, CA

Posted 07 May 2013 - 06:00 PM

Also, what version of P4 on the server? There was a time not so long ago where passwords were limited to 16 characters, and you'd get this kind of error if someone had a longer password. It was recently fixed though I don't recall exactly where the cutoff was, version-wise.

Might consider actually printing the $result->code so you know what it is.

We use a modified version of this script and our error section at the end has all this in it, just to be sure everything is being passed in correctly:

if ($login_success eq "FALSE") {
print "LDAP bind failure! Did you type your network password correctly?\n";
print "Result code: ";
print $result->code;
print "\n";
print "Domain: $domain\n";
print "User:   $user\n";
print "Host:   $host\n";
print "Port:   $port\n";
exit 1;
}


--
Matt Janulewicz
Lucasfilm Entertainment Company Ltd.


________________________________________
From: perforce-user-bounces@perforce.com [perforce-user-bounces@perforce.com] on behalf of P4Matt [perforce-user-forum@forums.perforce.com]
Sent: Tuesday, May 07, 2013 10:45 AM
To: perforce-user@perforce.com
Subject: [p4] Problems getting LDAP Active Directory Authentication working

Posted on behalf of forum user 'P4Matt'.

I'll be honest; I haven't the foggiest.��Have you tried
running the script by hand? It would be good to take Perforce out of the
picture. I read over the script and the Net::LDAP docs and everything looks
copacetic. Are there unicode characters in the user name or password that could
be causing it grief?



--
Please click here to see the post in its original format:
  http://forums.perfor...ication-working
_______________________________________________
perforce-user mailing list  -  perforce-user@perforce.com
http://maillist.perf...o/perforce-user

Matt Janulewicz
Lucasfilm Entertainment Company Ltd.

#5 P4Matt

P4Matt

    Advanced Member

  • Members
  • PipPipPip
  • 1383 posts

Posted 07 May 2013 - 06:01 PM

2011.1 was when password length was fixed.

#6 mjanulewicz

mjanulewicz

    Advanced Member

  • Members
  • PipPipPip
  • 311 posts
  • LocationSan Francisco, CA

Posted 07 May 2013 - 06:05 PM

You could also go through multiple domains and try to bind to them. It's been forever since I've looked at our script and it turns out we do this, too.

I just set a variable '$login_success=FALSE' and switch it to TRUE (or anything else) if the bind succeeds:

if( $result->code ){
        $login_success = "FALSE";
}
else {
        exit 0;
}

... then all that other diagnostic stuff I posted earlier goes here ...


--
Matt Janulewicz
Lucasfilm Entertainment Company Ltd.


________________________________________
From: perforce-user-bounces@perforce.com [perforce-user-bounces@perforce.com] on behalf of Randomsense [perforce-user-forum@forums.perforce.com]
Sent: Tuesday, May 07, 2013 10:55 AM
To: perforce-user@perforce.com
Subject: Re: [p4] Problems getting LDAP Active Directory Authentication working

Posted on behalf of forum user 'Randomsense'.

Thanks for the feedback. I'm in the process of working with Perforce support
as well. It looks like it issue is related to what CN I'm pointing to. In
the few LDAP configurations I've dealt with before you could specify a
container and it would look at it and everything under it (including
subfolders). It doesn't seem to be the case here and I have to specify the
exact CN that holds the account(s).

Since our users are scattered in a few different CN's I now need to figure
out how to specify more than one path or (the better option) specify an AD group
that I'll add our Perforce users to (probably called PerforceUsers).



--
Please click here to see the post in its original format:
  http://forums.perfor...ication-working
_______________________________________________
perforce-user mailing list  -  perforce-user@perforce.com
http://maillist.perf...o/perforce-user
_______________________________________________
perforce-user mailing list  -  perforce-user@perforce.com
http://maillist.perf...o/perforce-user

Matt Janulewicz
Lucasfilm Entertainment Company Ltd.





Also tagged with one or more of these keywords: ldap, linux, active directory, triggers, authentication

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users