Home
About Perforce
Contact
Site Map
RSS
Authentication Triggers: Active Directory Notes
SUMMARY
This article discusses potential problems and their workarounds when configuring an external authentication trigger to work with Active Directory servers.DETAILS
Organizational Units
The command for the auth-check trigger uses syntax similar to:C:\p4auth_ad.exe localhost 389 CN=%user%,CN=Users,DC=test,DC=perforce,DC=comThe arguments beginning with "CN" (Canonical Name) are part of the "ADsPath", a unique way to address an object (in this case, a user). Some Active Directory configurations may have problems with how the trigger arguments for a user are passed. One example is an Active Directory server that groups users in "Organizational Units", such as "managers", "employees", "contractors", and so forth.
The trigger arguments are static, so there is no simple solution to passing the correct organizational unit to the trigger. To get around this difficulty, users should log in using the Active Directory "distinguished name", another unique identifier. When creating a user account in active directory, the distinguished name is labeled the "logon name".
Names With Spaces
One drawback to using the logon name is that it is sometimes used for the Exchange server address book, which means it is likely to include spaces, like "Joe User". Active Directory allows this, but the Perforce server converts spaces to underscores. So, while Active Directory expects "Joe User", Perforce passes "Joe_User" to the trigger.A possible solution would be to convert the underscores to spaces as a part of the trigger. Use caution with this approach, as it would be almost impossible to tell the difference between a name with underscores deliberately inserted and one converted by Perforce. Thus a user with the logon name "build_machine" could be converted to "build machine".
Privacy Policy