Defining authentication for users
Authentication is defined by the setting of the
field of the user spec and also by configurables that affect user
AuthMethod field of the user specification, created
p4 user command, specifies the
authentication method to be used for that user.
ldap indicates that the user is to be authenticated against the LDAP directory defined by an active LDAP configuration. User access can be further restricted to those users who belong to a particular LDAP group.
All authentication triggers are disabled when LDAP authentication is enabled.
- perforce indicates that the user is to be authenticated by an authentication trigger script if such a script exists, or against Helix server’s internal user database. This is the default setting.
A superuser must edit the user spec with the
-f command to change the default value to
ldap if desired.
defines the default
value for the
AuthMethod on new users. Possible
creates a new user whenever a previously unknown
user invokes any command that can update the repository or its metadata. When executed by a
nonexistent user, most
commands cause a user to be created. You can control this
behavior by setting the
p4 configure command. For greatest security, we recommend that only the Helix server
superuser be allowed to create new users:
$ p4 configure set dm.user.noautocreate=2
If you select the
ldap configurable, only superusers are
allowed to create new users (using the
command). To have new users automatically created upon login, you must
auth.ldap.userautocreate to 1.
If you need more control over which LDAP users are allowed access to
Helix server, you can
use the group-related fields of the LDAP configuration to implement a
basic authorization step that filters out non-Helix server
users. For example, specifying a filter like the following limits access
to LDAP users who belong to the LDAP group with the common name
Base DN: ou=groups,dc=example,dc=org LDAP query: (&(cn=perforce)(memberUid=%user%))
In this case, only users who provide the proper credentials and who are
members of the specified group are authenticated. For more information
auth.default.method configurable, see the
description of the
p4 configure command and the
"Configurables" section of the
Helix Core P4 Command Reference.
If a user is set to use LDAP-configuration based authentication, the
user cannot update the password with the