Authenticating against Active Directory and LDAP servers
LDAP, Lightweight Directory Access Protocol, is supported by many directory services; chief among these is Active Directory and OpenLDAP. Helix server offers two ways of authenticating against Active Directory or LDAP servers: using an authentication trigger or using an LDAP specification. The latter method offers a number of advantages: it is easier to use, no external scripts are required, it allows users who are not in the LDAP directory to be authenticated against the internal user database, and it is more secure.
Create at least one account with super
access that uses
perforce authentication. This will allow you to login if by some chance
you lose AD/LDAP connectivity.
SASL authentication is supported; SAML is not.
The steps required to set up configuration-based LDAP authentication are described in the following sections. Throughout this section, information relating to LDAP authentication applies equally to using Active Directory. In broad strokes, the configuration process include the following steps:
- Use the
p4 ldap
command to create an LDAP configuration specification for each LDAP or Active Directory server that you want to use for authentication. - Define authentication-related configurables to enable authentication, to specify the order in which multiple LDAP servers are to be searched, and to provide additional information about how LDAP authentication is to be implemented.
- Set the
AuthMethod
field of the user specification for existing users to specify how they are to be authenticated. - Test the LDAP configurations you have defined to make sure searches are conducted as you expect.
- If this is the first time you have enabled LDAP authentication, restart the server.
You must restart the Helix server whenever you enable or disable LDAP authentication:
- You enable LDAP authentication the first time you enable an LDAP
configuration by setting the
auth.ldap.order.
configurable.N
- You disable LDAP authentication by removing or disabling all
existing LDAP configurations. You remove an LDAP configuration by
using the
-d
option to thep4 ldap
command. You disable all LDAP configurations by having noauth.ldap.order.
configurables set.N
- LDAP implies at least security level
3
.
Your search for returned result(s).