Triggering for external authentication

Triggers of type auth-set fire when users (standard users or service users) run the p4 passwd command and successfully validate their old password with an auth-check (or service-check) trigger. The process is as follows:

1. A user invokes p4 passwd.
2. The Helix Core Server prompts the user to enter his or her old password.
3. The Helix Core Server fires an auth-check trigger to validate the old password against the external authentication service.
4. The script associated with the auth-check trigger runs. If the auth-check trigger fails, the process ends immediately: the user is not prompted for a new password, and the auth-set trigger never fires.
5. If the auth-check trigger succeeds, the server prompts the user for a new password.

6. The Helix Core Server fires an auth-set trigger and supplies the trigger script with both the old password and the new password on the standard input, separated by a newline.

   Note

   In most cases, users in an external authentication environment will continue to set their passwords without use of Helix Core Server. The auth-set trigger type is included mainly for completeness.

Because the Helix Core Server must validate the user’s current password, you must have a properly functioning auth-check trigger before attempting to write an auth-set trigger. A trivial authentication-setting script

#!/bin/bash
# setpass.sh - a trivial authentication-setting script

USERNAME=$1

read OLDPASS
read NEWPASS

echo setpass.sh: $USERNAME attempted to change $OLDPASS to $NEWPASS

sample11  auth-check  auth  "checkpass.sh %user%"
sample12  auth-set    auth  "setpass.sh %user%"