Authenticating against Active Directory and LDAP servers
LDAP, Lightweight Directory Access Protocol, is supported by many directory services, including Active Directory and OpenLDAP. Helix Server offers two ways of authenticating against Active Directory or LDAP servers: using an authentication trigger or using an LDAP specification. We recommend using an LDAP specification because it:
-
is easier to use
-
requires no external scripts
-
allows users who are not in the LDAP directory to be authenticated against the internal user database
-
is more secure
Create at least one account with super
access that uses
perforce authentication. This will allow you to login if by some chance
you lose AD/LDAP connectivity.
SASL authentication is supported but SAML is not.
The steps required to set up configuration-based LDAP authentication are described in the following sections. Information relating to LDAP authentication applies equally to using Active Directory.
Overview of the configuration process:
- Use the
p4 ldap
command to create an LDAP configuration specification for each LDAP or Active Directory server that you want to use for authentication. - Define authentication-related configurables to enable authentication, to specify the order in which multiple LDAP servers are to be searched, and to provide additional information about how LDAP authentication is to be implemented.
- Set the
AuthMethod
field of the user specification for existing users to specify how they are to be authenticated. - Test the LDAP configurations you have defined to make sure searches are conducted as you expect.
- If this is the first time you have enabled LDAP authentication, restart the server.
You must restart the Helix Server whenever you enable or disable LDAP authentication:
- You enable LDAP authentication the first time you enable an LDAP configuration by setting the auth.ldap.order.N configurable.
- You disable LDAP authentication by removing or disabling all
existing LDAP configurations. You remove an LDAP configuration by
using the
-d
option to thep4 ldap
command. You disable all LDAP configurations by having noauth.ldap.order.
configurables set.N
- LDAP implies at least Server security levels
3
.