Defining authentication for users

Authentication is defined by the setting of the AuthMethod field of the user spec and also by configurables that affect user authentication.

The AuthMethod field of the user specification, created with the p4 user command, specifies the authentication method to be used for that user.

  • ldap indicates that the user is to be authenticated against the LDAP directory defined by an active LDAP configuration. User access can be further restricted to those users who belong to a particular LDAP group.

    All authentication triggers are disabled when LDAP authentication is enabled.

  • perforce indicates that the user is to be authenticated by an authentication trigger script if such a script exists, or against P4 Server’s internal user database. This is the default setting.

A superuser must edit the user spec with the p4 user -f command to change the default value to ldap if desired.

The auth.default.method configurable defines the default value for the AuthMethod on new users. Possible values are perforce or ldap.

By default, P4 Server creates a new user whenever a previously unknown user invokes any command that can update the repository or its metadata Information that P4 Server maintains, such as who created file revisions in the depot, whether the file is a 'lazy copy,, the current state of client workspaces, protections, groups, users, labels, streams, and branches. Metadata is stored in the server database and is separate from the 'archive files' that users submit from their client workspace into the depot.. When executed by a nonexistent user, most P4 Server commands cause a user to be created. You can control this behavior by setting the dm.user.noautocreate configurable with the p4 configure command. For security, we recommend that only the P4 Server superuser be allowed to create new users.

p4 configure set dm.user.noautocreate=2

If you select the ldap configurable, only superusers are allowed to create new users (using the p4 user command). To have new users automatically created upon login, you must set auth.ldap.userautocreate to 1.

If you need more control over which LDAP users are allowed access to P4 Server, you can use the group-related fields of the LDAP configuration to implement a basic authorization step that filters out non-P4 Server users. For example, specifying a filter like the following limits access to LDAP users who belong to the LDAP group with the common name perforce.

Base DN: ou=groups,dc=example,dc=org
LDAP query: (&(cn=perforce)(memberUid=%user%))

In this case, only users who provide the proper credentials and who are members of the specified group are authenticated. For more information about the auth.default.method configurable, see the description of the p4 configure command and Configurables in the P4 CLI Reference.

If a user is set to use LDAP-configuration based authentication, the user cannot update the password with the p4 passwd command.