Authenticating against Active Directory and LDAP servers

LDAP, Lightweight Directory Access Protocol, is supported by many directory services, including Active Directory and OpenLDAP. Helix Server offers two ways of authenticating against Active Directory or LDAP servers: using an authentication trigger or using an LDAP specification. We recommend using an LDAP specification because it:

  • is easier to use

  • requires no external scripts

  • allows users who are not in the LDAP directory to be authenticated against the internal user database

  • is more secure

Note

Create at least one account with super access that uses perforce authentication. This will allow you to login if by some chance you lose AD/LDAP connectivity.

SASL authentication is supported but SAML is not.

The steps required to set up configuration-based LDAP authentication are described in the following sections. Information relating to LDAP authentication applies equally to using Active Directory.

Overview of the configuration process:

  • Use the p4 ldap command to create an LDAP configuration specification for each LDAP or Active Directory server that you want to use for authentication.
  • Define authentication-related configurables to enable authentication, to specify the order in which multiple LDAP servers are to be searched, and to provide additional information about how LDAP authentication is to be implemented.
  • Set the AuthMethod field of the user specification for existing users to specify how they are to be authenticated.
  • Test the LDAP configurations you have defined to make sure searches are conducted as you expect.
  • If this is the first time you have enabled LDAP authentication, restart the server.
Note

You must restart the Helix Server whenever you enable or disable LDAP authentication:

  • You enable LDAP authentication the first time you enable an LDAP configuration by setting the auth.ldap.order.N configurable.
  • You disable LDAP authentication by removing or disabling all existing LDAP configurations. You remove an LDAP configuration by using the -d option to the p4 ldap command. You disable all LDAP configurations by having no auth.ldap.order.N configurables set.
  • LDAP implies at least Server security levels 3.