Testing and enabling LDAP configurations

Before you enable LDAP configurations, you should create at least one account with super access that uses perforce authentication. This will allow you to log in if you lose AD/LDAP connectivity.

Having created an LDAP configuration, you must test and enable the configuration. The ability to test your LDAP configurations allows you to make sure everything is working properly without impacting existing users, even if they are already using an authentication trigger to authenticate against LDAP. Once the LDAP configuration proves successful, you can switch users to the new mechanism without having to recreate them. The following steps illustrate the process of testing and activating a configuration.

  1. Test the configuration using the -t flag on the p4 ldap command. For example:

    $ p4 ldap -t Cleopatra olivia

    using the p4 ldap -t username configname syntax, with Cleopatra as the user name and olivia as the configuration name. (See the sample LDAP configuration named olivia in the p4 ldap command in Helix Core Command-Line (P4) Reference.)

    You will be prompted for the user’s password. If the password is correct, the command completes successfully.

    The amount of information returned by testing depends on the bind method used:

    • A simple bind returns only pass/fail feedback.
    • A search-based bind returns information about whether the user’s credentials are bad and whether the user could be found.
    • SASL binds usually provide more diagnostics than simple binds, but results can vary.
  2. Define the auth.ldap.order.N configurable to tell Helix Server in what order to use this configuration. For example:

    $ p4 configure set auth.ldap.order.1=bruno

    You must set this configurable even if you are only using one configuration.

  3. Check active configurations by running the following command:

    $ p4 ldaps -A
  4. Restart the server:

    $ p4 admin restart
    Note

    This disables authentication trigger support.

  5. Check that the server is running in LDAP authentication mode by running the following command:

    $ p4 -ztag info

    Then check to see that ldapAuth is enabled.

  6. Create additional LDAP servers if needed, and repeat steps 1, 2, 3 for each. Of course, if you add more configurations, you will need to assign a different priority to each.
  7. Migrate users to LDAP authentication by setting the authMethod to ldap for each user to be authenticated by LDAP.

In addition to testing authentication against a single LDAP server, you can test against multiple servers using the p4 ldaps -t command. For more information, see the description of the p4 ldaps -t command in the Helix Core Command-Line (P4) Reference.