Defining authentication for users

Authentication can be defined by the setting of the AuthMethod field of the user specification and by setting configurables that affect user authentication. You can also filter by group.

By default, P4 Server creates a new user whenever a previously unknown user invokes any command that can update the repository or its metadata Information that P4 Server maintains, such as who created file revisions in the depot, whether the file is a 'lazy copy,, the current state of client workspaces, protections, groups, users, labels, streams, and branches. Metadata is stored in the server database and is separate from the 'archive files' that users submit from their client workspace into the depot.. When executed by a nonexistent user, most P4 Server commands cause a user to be created. You can control this behavior by setting the dm.user.noautocreate configurable with the p4 configure command. For security, we recommend that only the P4 Server superuser be allowed to create new users.

p4 configure set dm.user.noautocreate=2

AuthMethod field

The AuthMethod field of the user specification, created with the p4 user command, specifies the authentication method to be used for that user.

  • ldap indicates that the user is to be authenticated against the LDAP directory defined by an active LDAP configuration. User access can be further restricted to those users who belong to a particular LDAP group.

    All authentication triggers are disabled when LDAP authentication is enabled.

    If a user is set to use LDAP-configuration based authentication, the user cannot update the password with the p4 passwd command.

  • perforce indicates that the user is to be authenticated by an authentication trigger script if such a script exists, or against P4 Server’s internal user database. This is the default setting.

A superuser can edit the user spec with the p4 user -f command to change the default value to ldap.

auth.default.method configurable

The auth.default.method configurable defines the default value for the AuthMethod on new users. Possible values are perforce or ldap. If you set the auth.default.method configurable to ldap, only superusers are allowed to create new users, which they can do by using the p4 user command.

To have new users automatically created upon login, set the auth.ldap.userautocreate configurable to 1 or 2.

Filter by group

If you need more control over which LDAP users are allowed access to P4 Server, you can use the group-related fields of the LDAP configuration to implement an authorization step that filters out non-P4 Server users. For example, specifying a filter like the following limits access to LDAP users who belong to the LDAP group with the common name perforce.

Base DN: ou=groups,dc=example,dc=org
LDAP query: (&(cn=perforce)(memberUid=%user%))

In this case, only users who provide the proper credentials and who are members of the specified group are authenticated.