p4 ldapsync

Synchronize Helix Core Server users and group memberships with LDAP groups.

Syntax

p4 [g-opts] ldapsync -g [-n] [-i N] [group ...]
p4 [g-opts] ldapsync -u [ -c -U -d ] [ -n ] [ -i N] [ ldap ... ]

Syntax conventions

Description

When run with the -g option specified, this command updates the users lists in Helix Core Server groups to match the lists of members in LDAP groups.

Tip

Any users that are not Active Directory members are removed.

If one or more group names are provided, only those groups are updated. If no groups are provided, all groups with LDAP configurations are updated.

When run with the -u option specified, this command updates the Helix Core Server users to match those in the LDAP. This works by querying each LDAP server defined by the LDAP specifications passed in the arguments. The LDAP specification’s SearchFilter is used to query the LDAP server with the %user% placeholder expanded to * in order to identify all LDAP users. The three Attribute* fields are used to map LDAP result to the Helix Core Server user’s username, full name and email address. All provided LDAP specifications are queried to build a full, combined list of LDAP users before any changes to the Helix Core Server users are made.

Note

p4 ldapsync requires super access granted by p4 protect.

To keep users or groups with LDAP configurations in sync with their LDAP counterparts, p4 ldapsync can be set as a startup command that runs in the background. See the final example in the Examples section.

The user synchronization has three actions that must be enabled separately by specifying the appropriate flags:

To create new users found in the LDAP servers that do not yet exist in Helix Core Server use the -c option
To update full name and email address of any existing Helix Core Server users found in the LDAP servers use the -U option
To delete Helix Core Server users not found in any of the LDAP servers use the -d option
Tip

You can track the activity of p4 ldapsync. See ldapsync.csv at p4 logparse.

Options

-u

Allows users to be created, updated, or deleted based on users found in LDAP servers. This works by querying each LDAP server defined by the LDAP specifications passed in the arguments. The LDAP specification's SearchFilter is used to query the LDAP server with the %user% placeholder expanded to * to identify all LDAP users. The three Attribute* fields are used to map LDAP result to the Perforce:

  • user's username
  • full name
  • email address

All provided LDAP specifications are queried to build a full, combined list of LDAP users before any changes to the Perforce users are made.

Note: The usernames of members added to a Perforce group by p4 ldapsync can be normalised into lowercase by setting the downcase option in the LDAP spec.

-c

Creates any new users found in the LDAP servers that do not yet exist in Helix Core Server. The AuthMethod will be set to ldap and Type set to standard.

-d

Deletes any Helix Core Server users not found in the LDAP servers, provided that the user is of Typestandard and AuthMethod is ldap.

-g

Required to specify groups. Updates the users lists in Perforce groups to match the lists of members in LDAP groups. If one or more group names are provided, only those groups are updated. If no groups are provided, then all groups with LDAP configurations will be updated.

-i N

Automatically repeats the command every N seconds.

If this option is not specified, the command executes once and exits.

-n

Preview the operation and show the users or groups that would be affected without taking any action.

group

The name of a Helix Core Server group that must be updated when changes to the corresponding LDAP group take place. If no group names are specified, all groups with LDAP configurations are updated.

-U

Updates the full name and email address of any existing Helix Core Server users found in the LDAP servers, provided that:

  • the user is of Type standard
  • the AuthMethod is ldap
  • the values differ

For a detailed walkthrough, see the Perforce Knowledge Base article, Configuring ldapsync.

g-opts

See Global options.

Usage notes

Can File Arguments Use Revision Specifier? Can File Arguments Use Revision Range? Minimal Access Level Required

N/A

N/A

super

Examples

To update the groups for which LDAP configurations have been defined:

p4 ldapsync -g

To configure a start up command that updates the groups every 30 minutes:

p4 configure set "myServer#startup.1=ldapsync -g -i 1800"

Note

This example assumes you have set serverID (see p4 serverid) to the server where you want to set startup.n, which is one of the Configurables.

Related commands

To view a list of all LDAP configurations

p4 ldaps

To create or edit an LDAP configuration

p4 ldap

To define LDAP-related configurables

p4 configure

To define LDAP configurations for a Helix Core Server group spec

p4 group