Defining authentication for users
Authentication is defined by the setting of the AuthMethod
field of the user spec and also by configurables that affect user
authentication.
The AuthMethod
field of the user specification, created
with the p4 user
command, specifies the
authentication method to be used for that user.
-
ldap indicates that the user is to be authenticated against the LDAP directory defined by an active LDAP configuration. User access can be further restricted to those users who belong to a particular LDAP group.
All authentication triggers are disabled when LDAP authentication is enabled.
- perforce indicates that the user is to be authenticated by an authentication trigger script if such a script exists, or against Helix Core Server’s internal user database. This is the default setting.
A superuser must edit the user spec with the p4 user
-f
command to change the default value to
ldap
if desired.
The
defines the default
value for the auth.default.method
configurableAuthMethod
on new users. Possible
values are perforce
or ldap
.
By default,
Helix Core Server
creates a new user whenever a previously unknown
user invokes any command that can update the repository or its metadata. When executed by a
nonexistent user, most Helix Core Server
commands cause a user to be created. You can control this
behavior by setting the
dm.user.noautocreate
p4 configure
command. For greatest security, we recommend that only the Helix Core Server
superuser be allowed to create new users:
$ p4 configure set dm.user.noautocreate=2
If you select the ldap
configurable, only superusers are
allowed to create new users (using the p4 user
command). To have new users automatically created upon login, you must
set auth.ldap.userautocreate
to 1.
If you need more control over which LDAP users are allowed access to
Helix Core Server, you can
use the group-related fields of the LDAP configuration to implement a
basic authorization step that filters out non-Helix Core Server
users. For example, specifying a filter like the following limits access
to LDAP users who belong to the LDAP group with the common name
perforce
.
Base DN: ou=groups,dc=example,dc=org LDAP query: (&(cn=perforce)(memberUid=%user%))
In this case, only users who provide the proper credentials and who are
members of the specified group are authenticated. For more information
about the auth.default.method
configurable, see the
description of the p4 configure
command and Configurables in the
Helix Core Command-Line (P4) Reference.
If a user is set to use LDAP-configuration based authentication, the
user cannot update the password with the p4 passwd
command.