p4 ldap
Create, display, edit, or delete an LDAP configuration specification, or test an existing LDAP configuration.
Syntax
p4 [g-opts] ldap configname
p4 [g-opts] ldap -i
p4 [g-opts] ldap -o configname
p4 [g-opts] ldap -d configname
p4 [g-opts] ldap -t username configname
Description
The p4 ldap
command includes five syntax
variants:
- The first variant allows you to create or edit an LDAP configuration.
- The
p4 ldap -i
command allows you to read an LDAP configuration from standard input. - The
p4 ldap -o
command allows you to display the specified LDAP configuration. - The
p4 ldap -d
command allows you to delete the specified LDAP configuration. - The
p4 ldap -t
command allows you to test an existing LDAP configuration.
-
This command cannot be run from a read-only or build replica.
-
LDAP queries for a user are performed as that user. Therefore, a user must be a member of a group before that user can see that group. (See Authorization using LDAP groups in Helix Core Server Administrator Guide.)
Creating an LDAP Configuration
The LDAP configuration you create with the p4 ldap
command defines an Active Directory or other LDAP server against which
the
Helix Servercan authenticate users.
To create an LDAP configuration specification, you provide values that specify the host and port of the AD/LDAP server, bind method information, and security parameters. Bind methods can be one of the following:
-
Simple: Uses a template based on the user’s name to produce a distinguished name that the Helix Server attempts to bind against, validating the user’s password. For example:
uid=%user%,ou=users,dc=example,doc=org
-
Search: Uses an LDAP search query to locate the user record. The search relies on a known base DN and an LDAP search query. You provide these using the
SearchBaseDN
,SearchFilter
, andSearchScope
fields of the LDAP configuration specification. This method might also required the full distinguished name and password of a known read-only entity in the directory. You supply these using theSearchBindDN
andSearchPasswd
fields of the LDAP configuration. Here is a sample search query:BaseDN: ou=users,dc=example,dc=org LDAP query: (uid=%user%)
- SASL: If the AD/LDAP server supports
SASL DIGEST-MD5
, this method defers the user search to the AD/LDAP server and does not require a distinguished name to be discovered before the bind is attempted. The user provides a user name, a password, and an optional realm.
In addition to creating the LDAP configuration, you must use the following configurables to enable the configuration and to further define the authentication process:
- auth.ldap.order.N - enables an AD/LDAP server and specifies the order in which it should be searched.
- auth.default.method - specifies whether new users should be authenticated by Helix Server or using LDAP.
- auth.ldap.userautocreate - specifies whether new users should be automatically created on login when using LDAP authentication.
- auth.ldap.timeout - time to wait before giving up on a connection.
- auth.ldap.cafile - the path to a file used for certification when the AD/LDAP server uses SSL or TLS.
- auth.ldap.ssllevel - level of SSL certificate validation.
For more information, see Configurables.
LDAP configurations are stored in the new db.ldap
table.
This table is journaled, so LDAP configurations are now included in
checkpoints and are replicated.
Authentication is user-based:
- The LDAP authentication method is selected for each existing user
with the
AuthMethod
field of the user specification. For more information, see thep4 user
command. - The authentication method applied to auto-created users (LDAP or
Perforce) is
determined by the
auth.userautocreate
configurable. For more information, see Configurables.
Here is a sample LDAP configuration:
Name: olivia Host: openldap.example.com Port: 389 Encryption: tls BindMethod: search Options: nodowncase nogetattrs norealminusername SimplePattern: someuserid SearchBaseDN: ou=employees,dc=example,dc=com SearchFilter: (cn=%user%) SearchScope: subtree GroupSearchScope: subtree
Testing an LDAP Configuration
You can use a command like the following to test an LDAP configuration:
$ p4 ldap -t userX myConfig
The command prompts you for a password and returns successfully if
userX
can be found. If the AD/LDAP server specified by
myConfig
is down, if the user can’t be found, or if the
password you supply is incorrect, the command returns a detailed error
message. For example:
c:\temp> p4 -p 1666 ldap -t userX olivia
Enter password:
Authentication as cn=userX,ou=employees,dc=example,dc=com
failed. Reason: Invalid Credentials
Form Fields
Field Name | Type | Description |
---|---|---|
|
Read only |
The name of the LDAP configuration. Relevant to bind method: all |
|
Writable |
Fully qualified domain name of AD/LDAP server. The default is
Relevant to bind method: all |
|
Writable |
The port to connect on. The default is Relevant to bind method: all Tip
Port 389 has historically been used for unencrypted connections into an LDAP server. Port 636 is used for legacy SSL connections. Port 389 is used for TLS connections; TLS establishes a non encrypted connection on port 389 that it 'upgrades' to an encrypted TLS connection as the initial connection proceeds. This allows unencrypted and encrypted connections to be setup and handled by this one port. The Perforce LDAP specification must therefore have the specified 'Port:' field corresponding to the relevant encryption method in the 'Encryption:' ('none', 'ssl' or 'tls') field. |
|
Writable |
One of Relevant to bind method: all |
|
Writable |
One of Relevant to bind method: all |
|
Writable |
Modifies the behavior of the LDAP integration that is specific to this configuration. Choose from the following:
By default, these options are not set. |
|
Writable |
The distinguished name used to bind against to validate the
user’s credentials. The Relevant to bind method: simple |
|
Writable |
The distinguished name from which to start the search for the user object. Relevant to bind method: search |
|
Writable |
The LDAP query filter that identifies the user object to bind
against. The Relevant to bind method: search |
|
Writable |
One of the following:
Relevant to bind method: search |
|
Writable |
The distinguished name to bind against to search the
directory. |
|
Writable |
The password for the Relevant to bind method: search |
|
Writable |
The optional realm to use when authenticating the user using SASL. Relevant to bind method: sasl |
|
Writable |
The filter to use for the group search. Relevant to bind method: all |
|
Writable |
The search base for performing a group search. The default is
the value of Relevant to bind method: all |
|
Writable |
One of the following, to be used when performing a group search.
Relevant to bind method: all |
|
Writable |
The name of the attribute in the user object that contains the user’s UID. |
|
Writable |
The name(s) of the attribute(s) in the user object that contains the user’s full name. If multiple attributes are required to form the full name, specify each one surrounded by % symbols, so that expanding these forms the user’s full name. The |
|
Writable |
The name of the attribute in the directory’s user object that contains the users' email addresses. The |
Options
|
Deletes the specified LDAP configuration. |
|
Read the LDAP specification from standard input. |
|
Writes the specified LDAP configuration to standard output. |
|
Specifies a username to authenticate against the specified LDAP configuration. It is provided for testing purposes. The command returns a success message or a detailed error message. You do not have to enable the configuration to run this test. |
|
See Global options. |
Usage Notes
Can File Arguments Use Revision Specifier? | Can File Arguments Use Revision Range? | Minimal Access Level Required |
---|---|---|
N/A |
N/A |
|
Examples
|
Create the |
|
Write the |
|
Authenticate the user |
|
Delete the |
Related Commands
To view a list of all LDAP configurations. |
|
To define LDAP-related configurables. |