Perforce Public Knowledge Base - Configuring ldapsync
× PRODUCTS SOLUTIONS CUSTOMERS LEARN SUPPORT
Downloads Company Partners Careers Contact Free Trials
Menu Search
Perforce
Reset Search
 

 

Article

Configuring ldapsync

« Go Back

Information

 
Problem
How do you configure ldapsync?
Solution
The command p4 ldapsync will synchronize Perforce groups based on LDAP groups, and an administrator can configure this to be run periodically. 

Synchronizing Perforce groups with Active Directory

You can use ldapsync to periodically update a Perforce group with an existing LDAP group.

The following is a step by step example for configuring ldapsync:
    1. Set auth.ldap.userautocreate
    p4 configure set auth.ldap.userautocreate=1

    This command will not create new users immediately, but will create new users after the user logs in successfully using LDAP.  No server restart is necessary.
     
    1. Create a LDAP profile using the "search" bind (and not "simple" or "SASL").  In our example, our search profile is named "mysearch".  

    $ p4 ldap mysearch

    Name:   mysearch
    Host:   ad.foo.com
    Port:   389
    Encryption:     none
    BindMethod:     search
    Options:        nodowncase getattrs norealminusername

    SearchBaseDN:   CN=Users,DC=ad,DC=foo,DC=com
    SearchFilter:   sAMAccountName=%user%
    SearchScope:    subtree
    SearchBindDN:   bruno@ad.foo.com
    SearchPasswd:   <enter password here>
    GroupSearchScope:       subtree
    AttributeUid:   sAMAccountName
    AttributeName:  displayName
    AttributeEmail: userPrincipalName

     

    1. Test LDAP authentication using the "p4 ldap -t" command
    $ p4 ldap -t bruno mysearch
    Enter password:
    Authentication successful.
    Discovered FullName: bruno
    Discovered Email: bruno@ad.foo.com

     
    If LDAP group authentication with search bind is not working, fix this first.  See Authenticating with LDAP to create an ldap spec.
     
    1. Create or edit a Perforce group
    Note that the LdapSearchQuery will be similar to the group LDAP spec.
     
    p4 group ldapgroup

    Group:  ldapgroup
    MaxResults:     unset
    MaxScanRows:    unset
    MaxLockTime:    unset
    MaxOpenFiles:   unset
    Timeout:        43200
    PasswordTimeout: unset
    LdapConfig:     mysearch
    LdapSearchQuery: (&(objectClass=user)(sAMAccountName=*))
    LdapUserAttribute:      sAMAccountName
    Subgroups:
    ffhello Owners:
            perforce2
    Users:

     
    1. Add your Perforce group to the protect table.
    Make sure group permissions are in the p4 protect table. 

    p4 protect

    write group ldapgroup * //...

     
    1. Check that p4 ldapsync works in preview mode (-n).
    $ p4 ldapsync -n -g ldapgroup

    Added user Administrator to group fong
    Added user Guest to group fong
    Added user James.Smith to group fong
    Added user Joe.Coder to group fong
    Added user SUPPORT_388945a0 to group fong
    Removed user randall from group fong

     

    1. If everything looks correct, run p4 ldapsync to synchronize groups with the AD server.

    $ p4 ldapsync -g ldapgroup
    Added user Administrator to group fong            
    Added user Guest to group fong                    
    Added user James.Smith to group fong              
    Added user Joe.Coder to group fong                     
    Removed user randall from group fong

     

    Updating attributes

    Use the p4 ldapsync -U command to update attributes.
    For example:
    1. Place Active Directory variable into search LDAP spec

    Name:   mysearch
    Host:   10.25.10.80
    Port:   389
    Encryption:     none
    BindMethod:     search
    Options:        nodowncase getattrs norealminusername
    SearchBaseDN:   CN=Users,DC=ad,DC=foo,DC=com
    SearchFilter:   (&(objectClass=user)(sAMAccountName=%user%))
    SearchScope:    subtree
    SearchBindDN:   perforce@ad.foo.com
    SearchPasswd:   ******
    GroupSearchScope:       subtree
    AttributeUid:   sAMAccountName
    AttributeName:  displayName
    AttributeEmail: userPrincipalName

    1. User spec for bruno, before:

    $ p4 user -o bruno
    <snip>       
    User:   bruno
    Email:  bruno@ad.foo.com
    Access: 2016/10/17 18:02:46
    FullName:       bruno saturn
    AuthMethod:     ldap

     

    1. Log onto the Active Directory server, find user bruno, and change attribute displayName from "bruno saturn" to "bruno testA"
     
    1. Run "p4 ldapsync -U"

    $ p4 ldapsync -u -U mysearch
    User Administrator updated from 'Administrator' (Administrator@kicks) to 'Administrator' (Administrator@unknown)
    User bruno updated from 'bruno saturn' (bruno@ad.foo.com) to 'bruno testA' (bruno@ad.foo.com)
    User fong updated from 'Fong User' (forsale@global.net) to 'fong user' (fong@ad.perforce.com)
    User guest updated from 'rfong'
    (rfong@global.net) to 'Guest' (Guest@unknown)

    User perforce updated from 'perforce' (perforce@perforce-dvcs-1487214691) to 'perforce' (perforce@ad.foo.com)
    User vkan updated from 'vkan'
    (vkan@foo.com) to 'vkan'
    (vkan@ad.foo.com)
    1. User spec for bruno, after:
    $ p4 user -o bruno
    <snip>
    User:   bruno
    Email:  bruno@ad.foo.com
    Access: 2016/10/17 18:02:46
    FullName:       bruno testA
    AuthMethod:     ldap
     
    Related Links

    Feedback

     

    Was this article helpful?


       

    Feedback

    Please tell us how we can make this article more useful.

    Characters Remaining: 255