Perforce Public Knowledge Base - Configuring ldapsync
Downloads Company Partners Careers Contact Free Trials
Menu Search
Reset Search



Configuring ldapsync

« Go Back


How do you configure ldapsync?
The command p4 ldapsync will synchronize Perforce groups based on LDAP groups, and an administrator can configure this to be run periodically. 

You can use ldapsync to periodically update a Perforce group with an existing LDAP group.

The following is a step by step example for configuring ldapsync:
    1. Set auth.ldap.userautocreate
    p4 configure set auth.ldap.userautocreate=1

    This command will not create new users immediately, but will create new users after the user logs in successfully using LDAP.  No server restart is necessary.
    1. Create a LDAP profile using the "search" bind (and not "simple" or "SASL").  In our example, our search profile is named "mysearch".  

    $ p4 ldap mysearch

    Name:   mysearch
    Port:   389
    Encryption:     none
    BindMethod:     search
    Options:        nodowncase getattrs norealminusername

    SearchBaseDN:   CN=Users,DC=ad,DC=foo,DC=com
    SearchFilter:   sAMAccountName=%user%
    SearchScope:    subtree
    SearchPasswd:   <enter password here>
    GroupSearchScope:       subtree
    AttributeUid:   sAMAccountName
    AttributeName:  displayName
    AttributeEmail: userPrincipalName


    1. Test LDAP authentication using the "p4 ldap -t" command
    $ p4 ldap -t bruno mysearch
    Enter password:
    Authentication successful.
    Discovered FullName: bruno
    Discovered Email:

    If LDAP group authentication with search bind is not working, fix this first.  See Authenticating with LDAP to create an ldap spec.
    1. Create or edit a Perforce group
    Note that the LdapSearchQuery will be similar to the group LDAP spec.
    p4 group ldapgroup

    Group:  ldapgroup
    MaxResults:     unset
    MaxScanRows:    unset
    MaxLockTime:    unset
    MaxOpenFiles:   unset
    Timeout:        43200
    PasswordTimeout: unset
    LdapConfig:     mysearch
    LdapSearchQuery: (&(objectClass=user)(sAMAccountName=*))
    LdapUserAttribute:      sAMAccountName

    1. Add your Perforce group to the protect table.
    Make sure group permissions are in the p4 protect table. 

    p4 protect

    write group ldapgroup * //...

    1. Check that p4 ldapsync works in preview mode (-n).
    $ p4 ldapsync -n -g ldapgroup

    Added user Administrator to group fong
    Added user Guest to group fong
    Added user James.Smith to group fong
    Added user Joe.Coder to group fong
    Added user SUPPORT_388945a0 to group fong
    Removed user randall from group fong


    1. If everything looks correct, run p4 ldapsync to synchronize groups with the AD server.

    $ p4 ldapsync -g ldapgroup
    Added user Administrator to group fong            
    Added user Guest to group fong                    
    Added user James.Smith to group fong              
    Added user Joe.Coder to group fong                     
    Removed user randall from group fong


      Related Links



      Was this article helpful?



      Please tell us how we can make this article more useful.

      Characters Remaining: 255