Defining authentication for users

Authentication is defined by the setting of the AuthMethod field of the user spec and also by configurables that affect user authentication.

The AuthMethod field of the user specification, created with the p4 user command, specifies the authentication method to be used for that user.

  • ldap indicates that the user is to be authenticated against the LDAP directory defined by an active LDAP configuration. User access can be further restricted to those users who belong to a particular LDAP group.

    All authentication triggers are disabled when LDAP authentication is enabled.

  • perforce indicates that the user is to be authenticated by an authentication trigger script if such a script exists, or against Helix Core Server’s internal user database. This is the default setting.

A superuser must edit the user spec with the p4 user -f command to change the default value to ldap if desired.

The auth.default.method configurable defines the default value for the AuthMethod on new users. Possible values are perforce or ldap.

Warning

By default, Helix Core Server creates a new user whenever a previously unknown user invokes any command that can update the repository or its metadata. When executed by a nonexistent user, most Helix Core Server commands cause a user to be created. You can control this behavior by setting the dm.user.noautocreate configurable with the p4 configure command. For greatest security, we recommend that only the Helix Core Server superuser be allowed to create new users:

$ p4 configure set dm.user.noautocreate=2

If you select the ldap configurable, only superusers are allowed to create new users (using the p4 user command). To have new users automatically created upon login, you must set auth.ldap.userautocreate to 1.

If you need more control over which LDAP users are allowed access to Helix Core Server, you can use the group-related fields of the LDAP configuration to implement a basic authorization step that filters out non-Helix Core Server users. For example, specifying a filter like the following limits access to LDAP users who belong to the LDAP group with the common name perforce.

Base DN: ou=groups,dc=example,dc=org
LDAP query: (&(cn=perforce)(memberUid=%user%))

In this case, only users who provide the proper credentials and who are members of the specified group are authenticated. For more information about the auth.default.method configurable, see the description of the p4 configure command and Configurables in the Helix Core Command-Line (P4) Reference.

Note

If a user is set to use LDAP-configuration based authentication, the user cannot update the password with the p4 passwd command.