Testing and enabling LDAP configurations

After you create one or more LDAP configurations, test and enable the configurations to make sure everything is working properly. The testing does not affect existing users, and they might already be using an authentication trigger to authenticate against LDAP.

After the LDAP configuration proves successful, you can switch users to the new mechanism without having to recreate the users.

Before you enable LDAP configurations, create at least one account with super access that uses perforce authentication. This will allow you to log in if you lose AD/LDAP connectivity.

Testing steps

  1. Test the configuration by using the -t flag on the p4 ldap command. For example:

    p4 ldap -t Maria myLDAPconfig

    using the p4 ldap -t username configname syntax, with Maria as the user name and myLDAPconfig as the configuration name.

    You will be prompted for the user’s password. If the password is correct, the command completes successfully.

    The amount of information returned by testing depends on the bind method used:

    • A simple bind returns only pass/fail feedback.
    • A search-based bind returns information about whether the user’s credentials are bad and whether the user could be found.
    • SASL binds usually provide more diagnostics than simple binds.

  2. Set the auth.ldap.order.N configurable to assign the sequence in which configurations are checked.
    If you are using only one configuration, the following is sufficient.

    p4 configure set auth.ldap.order.1=myLDAPconfig

    but if you have multiple configurations, establish the sequence for checking the configurations:

    p4 configure set auth.ldap.order.2=myLDAPforEurope
p4 configure set auth.ldap.order.3=myLDAPforAsia

  3. Check the active configurations:

    p4 ldaps -A

Switch the mechanism

  1. Disable authentication trigger support by restarting the server:

    p4 admin restart

  2. Check that the server is running in LDAP authentication mode:

    p4 -ztag info

    If so, ... ldapAuth enabled is included in the output.

  3. Create additional LDAP servers if needed, and repeat the testing steps for each one.
  4. Migrate users to LDAP authentication by setting the authMethod to ldap for each user to be authenticated by LDAP.

In addition to testing authentication against a single LDAP server, you can test against multiple servers by using the p4 ldaps -t command. To learn more, see the description of the p4 ldaps -t command in the Helix Core Command-Line (P4) Reference.