Triggering for external authentication
Triggers of type auth-set
fire when users (standard users
or service users) run the p4 passwd
command and
successfully validate their old password with an auth-check
(or service-check
) trigger. The process is as follows:
- A user invokes
p4 passwd
. - The Helix Core Server prompts the user to enter his or her old password.
- The
Helix Core Server
fires an
auth-check
trigger to validate the old password against the external authentication service. - The script associated with the
auth-check
trigger runs. If theauth-check
trigger fails, the process ends immediately: the user is not prompted for a new password, and theauth-set
trigger never fires. - If the
auth-check
trigger succeeds, the server prompts the user for a new password. -
The Helix Core Server fires an
auth-set
trigger and supplies the trigger script with both the old password and the new password on the standard input, separated by a newline.NoteIn most cases, users in an external authentication environment will continue to set their passwords without use of Helix Core Server. The
auth-set
trigger type is included mainly for completeness.
Because the
Helix Core Server
must validate the user’s current password, you must have a properly
functioning auth-check
trigger before attempting to write an
auth-set
trigger. A trivial authentication-setting script
Example A trivial authentication-setting script
#!/bin/bash # setpass.sh - a trivial authentication-setting script USERNAME=$1 read OLDPASS read NEWPASS echo setpass.sh: $USERNAME attempted to change $OLDPASS to $NEWPASS
This auth-set
trigger fires after users run p4
passwd
and successfully pass the external authentication
required by the auth-check
trigger. To use the trigger,
add the following two lines to the trigger table:
sample11 auth-check auth "checkpass.sh %user%" sample12 auth-set auth "setpass.sh %user%"
This trivial example doesn’t actually change any passwords; it merely reports back what the user attempted to do.