Centralized authorization server (P4AUTH)

If you are running multiple P4 Servers, you can configure them to retrieve protections and licensing data from a centralized authorization server (P4AUTH). By using a centralized server, you are freed from the necessity of ensuring that all your servers contain the same users and protections entries.

Prerequisites

Use a dedicated server as the centralized authentication server.

Configure serviceUser on the outer server to be a valid service user on inner server before you set P4AUTH on the outer server. Otherwise lock out occurs.

To ensure that p4 review and p4 reviews work correctly, you must enable remote depot access for the service user on the central authentication server.

Starting with release 2023.1, servers using central authentication (P4AUTH) require the central server's release version to be at least 2023.1.

All outer servers must be at the same (or newer) release level as the centralized authorization server.

The license file for the central authorization server must be valid because it governs the number of licensed users that are permitted to exist on outer servers.

Each user must exist on the central authorization server, otherwise such users will not appear to exist on the outer servers.

All servers that use P4AUTH must have the same Unicode setting as the central authorization server.

Configure the P4AUTH server

To configure a P4 Server to use a central authorization server, set P4AUTH before starting the server, or specify it on the command line when you start the server.

The central authorization server must be running when its outer servers are starting up or being upgraded.

P4AUTH and p4 info

If your server is making use of a centralized authorization server, the following line will appear in the output of p4 info:

...
Authorization Server: [protocol:]host:port

Where [protocol:]host:port refers to the protocol, host, and port number of the central authorization server. See Specify hosts.

In the following example, an outer server is configured to use a central authorization server (named central). The outer server listens for user requests on port 1999 and relies on the central server’s data for user, group, protection, review, and licensing information. It also joins the protection table from the server at central:1666 to its own protections table.

For example:

p4d -a central:1666 -p 1999

Windows outer server

On Windows, configure the outer server with p4 set -S as follows:

C:\> p4 set -S "Outer Server" P4AUTH=central:1666
C:\> p4 set -S "Outer Server" P4PORT=1999

Commands that the central server processes

When you configure a central authorization server, outer servers forward the following commands to the central server for processing:

Command Forwarded to auth server? Note

p4 group

Yes

Local group data is derived from the central server.

p4 groups

Yes

Local group data is derived from the central server.

p4 license

Yes

License limits are derived from the central server. License updates are forwarded to the central server.

p4 passwd

Yes

Property values are derived from the central server.

p4 property

Yes

Local property data is derived from the central server.

p4 review

No

The default user named remote must have access to the central server. However, best practice is to create Service users and not use the default user named remote. See Restrict access to remote depots.

p4 reviews

No

The default user named remote must have access to the central server. However, best practice is to create Service users and not use the default user named remote. See Restrict access to remote depots.

p4 user

Yes

Local user data is derived from the central server.

p4 users

Yes

Local user data is derived from the central server.

p4 protect

No

The local server’s protections table is displayed if the user is authorized (as defined by the combined protection tables) to edit it.

p4 protects

Yes

Protections are derived from the central server’s protection table as appended to the outer server’s protection table.

p4 login

Yes

Command is forwarded to the central server for ticket generation.

p4 logout

Yes

Command is forwarded to the central server for ticket invalidation.

Limitations and notes

  • P4 Code Review is not supported with the centralized authentication server.

  • Setting P4AUTH by means of a p4 configure set P4AUTH=[protocol:]server:port command requires a restart of the outer server.

    If you need to set P4AUTH for a replica, use the following syntax:

    p4 configure set ServerName#P4AUTH=[protocol:]server:port

  • If you have set P4AUTH, no warning will be given if you delete a user who has an open file or client.
  • To ensure that the authentication server correctly distinguishes forwarded commands from commands issued by trusted, directly-connected users, you must define any IP-based protection entries in the Perforce service by prepending the string “proxy-” to the [protocol:]host:port definition. Before you prepend the string proxy- to the workstation’s IP address, make sure that a broker or proxy is in place.
  • Protections for non-forwarded commands are enforced by the outer server and use the plain client IP address, even if the protections are derived from lines in the central server’s protections table.