Jump to content

Perforce LDAP (SASL) Authentication


  • Please log in to reply
4 replies to this topic

#1 DragonROSE



  • Members
  • Pip
  • 3 posts

Posted 29 April 2016 - 12:45 PM

Hello, trying to bind Perforce to Active Directory without success, can some one help?
Detail: p4 v 2014.2 installed on Centos 6.6, AD is Win 2008 R2

LDAP config is:

Name:    saslconfig
Host:    server01.u3dl.pvt
Port:    389
Encryption:    none
BindMethod:    sasl
SearchScope:    subtree
GroupSearchScope:    subtree

Then I try to test:
# p4 ldap -t test_user saslconfig
Enter password:
Authentication as test_user failed. Reason: Invalid credentials

But on the AD Event log I can see that user test_user is logged on, then logged off immediately.

Also interesting thing, that if I enter incorrect password I see the same result in p4 console “Authentication as test_user failed. Reason: Invalid credentials”

Any Idea?

#2 Harsha



  • Members
  • PipPip
  • 16 posts
  • LocationCambridge, UK

Posted 03 May 2016 - 04:51 PM

We use search bind method with ssl encryption and below is the ldap configuration for the same. Not sure what's missing for sasl

Name:   ldap_search
Host:   ldap.domain.com
Port:   636
Encryption: ssl
BindMethod: search
Options: nodowncase nogetattrs norealminusername
SearchBaseDN:   o=<domain>
SearchFilter:   (uid=%user%)
SearchScope: subtree
GroupSearchScope:    subtree

#p4 ldap -t <user> ldap_search
Enter password:
Authentication successful.

Not sure what's missing for sasl BindMethod. Did you tried setting SaslRealm field?
#  The following field only applies to the 'sasl' bind method.
#  SaslRealm: The optional realm to use when authenticating the user via SASL.

#3 DragonROSE



  • Members
  • Pip
  • 3 posts

Posted 04 May 2016 - 09:58 AM

Harsha, thank you for the answer, but it didn't help.

I created ldap_serach config as you said, but the perforce server gives an error:

Error in ldap specification.
Error detected at line 57.
Unknown field name 'Options'.
Hit return to continue...

I created config without "Options" line, and perforce gives an error:

# p4 ldap -t test_user ldap_search
Enter password:
User not found by LDAP search "(uid=test_user)" starting at o=<domain>
LDAP search failed: Operations error

I have tried different settings in line "SearchBaseDN: o=<domain>", i tried to set "o=u3dl", "o=<u3dl>", and other... every time I've got the same error.

SSL doesn't work in my configuration, perforce gives an error:

# p4 ldap -t test_user ldap_search
Enter password:
Authentication as  failed. Reason: Can't contact LDAP server

#4 P4Fra



  • Staff
  • 7 posts

Posted 06 May 2016 - 07:33 AM


Try something like this:

Name:  moregrp


Port:   389

Encryption: none

BindMethod: search

SearchBaseDN: DC=ldap-UK,DC=local

SearchFilter:    (&(objectClass=User)(sAMAccountName=%user%))

SearchScope: subtree

SearchBindDN:  CN=your ad user or admin ,DC=ldap-UK,DC=local

SearchPasswd:  ******

GroupBaseDN:  DC=ldap-UK,DC=local

GroupSearchFilter:   (&(objectClass=User)(sAMAccountName=%user%)(memberof:1.2.840.113556.1.4.1941:=CN=Perforce,CN=Users, DC=ldap-UK,DC=local))

GroupSearchScope: subtree

Keep in mind that this search config works, but you need to adjust the setting to match your domain and create a group Perforce.
Also, the group search is the important stuff as a user in the group "perforce" is allowed to login, anybody else is not.

Having a group Perforce, it will keep in check the license use and only users in Perforce are allowed to login.
If you enable "p4 configure set auth.ldap.userautocreate=1", only users under "Perforce" are created.

#5 DragonROSE



  • Members
  • Pip
  • 3 posts

Posted 13 May 2016 - 07:48 AM

I tried many configurations and this config worked for me:

Name:   ldapsearch
Host:   u3dl.pvt
Port:   389
Encryption: none
BindMethod: search
SearchBaseDN:   CN=Users,DC=u3dl,DC=pvt
SearchFilter:   (sAMAccountName=%user%)
SearchScope:    subtree
SearchBindDN:   perforce@u3dl.pvt
SearchPasswd:   ***
GroupSearchScope:    subtree

The "perforce" user created in AD only for searching.

Thanks all for help!

Also tagged with one or more of these keywords: LDAP, AD

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users