Triggering to use external authentication
To configure
      Helix Core Server
      to work with an external authentication manager (such as LDAP or Active
      Directory), use authentication triggers (auth-check,
      auth-check-sso, service-check, and
      auth-set). These triggers fire on the p4
 login and p4 passwd
You might prefer to enable LDAP authentication by using an LDAP specification. This option is recommended: it is easier to use, no external scripts are required, it provides greater flexibility in defining bind methods, it allows users who are not in the LDAP directory to be authenticated against Helix Core Server’s internal user database, and it is more secure. For more information, see Authentication options.
That being said, you also have the option of using
	auth-check-sso triggers when LDAP authentication is
	enabled. In this case, users authenticated by LDAP can define a
	client-side SSO script instead of being prompted for a password. If the
	trigger succeeds, the active LDAP configurations are used to confirm
	that the user exists in at least one LDAP server. The user must also
	pass the group authorization check if it is configured. Triggers of
	type auth-check-sso will not be called for users who do
	not authenticate against LDAP.
Authentication triggers differ from changelist and form triggers in that
      passwords typed by the user as part of the authentication process are
      supplied to authentication scripts as standard input; never on the
      command line. (The only arguments passed on the command line are those
      common to all trigger types, such as %user%,
      %clientip%, and so on.)
Be sure to spell the trigger name correctly when you add the trigger to the trigger table because a misspelling can result in all users being locked out of Helix Core Server.
Be sure to fully test your trigger and trigger table invocation prior to deployment in a production environment.
Contact Perforce Technical Support if you need assistance with restoring access to your server.
The examples in this book are for illustrative purposes only. For a more detailed discussion, including links to sample code for an LDAP environment, see the Perforce Knowledge Base article, Authenticating with LDAP.
You must restart the
      Helix Core Server
      after adding an auth-check (or service-check)
      trigger in order for it to take effect. You can, however, change an
      existing auth-check trigger table entry (or trigger script)
      without restarting the server.
After an auth-check trigger is in place and the server
      restarted, the Helix Core Server security configurable is ignored. Because authentication is
      now under the control of the trigger script, the server’s default
      mechanism for password strength requirements is redundant.
The following table describes the fields of an authentication trigger definition.
| Field | Meaning | 
|---|---|
| 
 | The name of the trigger. | 
| 
 | 
 | 
| 
 | Use  | 
| 
 | The trigger for the
	      Helix Core Server
	      to run. See the following sections about specific authentication
	      trigger types for more information on when the trigger is fired.
	      In most cases, it is when the  Specify the command in a way that allows the
	      Helix Core Server
	      account to locate and run the command. The
	       When your trigger script is stored in the depot, its path must
	      be specified in depot syntax, delimited by percent characters.
	      For example, if your script is stored in the depot as
	       For  For  For  | 






