Helix Core Server has long supported LDAP for user authentication, and that does not change when used in concert with this authentication extension. The server can support users that authenticate with a database password (default perforce authentication), or an LDAP-based password (as defined with p4 ldap), or via SSO authentication by means of the auth-check-sso trigger. In fact, a user can be authenticated by both a classic auth-check-sso trigger and LDAP.
However, the authentication extension differs from an auth-check-sso trigger in that it uses the invoke URL feature to open a web browser to delegate user authentication to an external web site (the identity provider). As a result, the Perforce client and server never receive the user's credentials, and thus the server cannot pass the credentials to an LDAP directory. In this scenario, a user can either authenticate with web-based SSO, or they can authenticate by some other means, but not both.
The remainder of this guide offers one of several possible combinations of authentication methods, allowing some users to authenticate with database passwords, some to authenticate using an LDAP directory, and yet another set of users that authenticate using browser-based SSO.
Switching users from LDAP authentication to web-based SSO authentication will require changing the AuthMethod for each user that will be authenticating with web-based SSO. When the AuthMethod field has the value ldap then that user will authenticate using LDAP. To change the authentication method for a user to SSO, simply change the AuthMethod value to perforce. At this point, it is the extension configuration that will determine if a user authenticates with SSO or some other method, such as a database password.
Changing a user's AuthMethod can be achieved from the command line, like so:
p4 --field AuthMethod=perforce user -o <username> | p4 user -f -iNote that when the security server configurable is set to 3 or higher, every user whose AuthMethod is perforce will be required to have a database password. This is true regardless of how the user will authenticate with the server. An easy method for setting the password to a long random string (on Unix) looks like this:
yes $(uuidgen) | p4 passwd <username>Permitting a combination of authentication mechanisms is a matter of setting the server configuration appropriately, and defining which users are authenticated by which method. Start by defining an LDAP configuration in Helix Core Server using the p4 ldap command as described in this knowledge base guide. Once a basic LDAP configuration is in place, set the server configurable(s) to allow a combination of authentication paths, as described in the following sections.
With the authentication extension in place, LDAP users will always be prompted for their credentials by the Perforce client, and Helix Core Server will then authenticate the user against the LDAP directory. The authentication extension will not process LDAP user authentication for the reason stated above.
With the authentication extension, configuring the server to use SSO for non-LDAP users requires setting the auth.sso.nonldap configurable to 1. From the command-line you can configure the server using the p4 configure command:
p4 configure set auth.sso.nonldap=1