Documentation

Support

Unity Version Control

DevOps

On-prem

Gluon

Editor plug-in

Open Unity Dashboard

Unity Version Control

Authentication configuration

Configure the authentication mode that your clients use.
Read time 5 minutesLast updated 21 days ago
Use the authentication section of the server administration console to configure the authentication mode that your Unity Version Control (UVCS) clients use. A UVCS client communicates security information to the server for validation. The basic token sent from client to server is called SEID, short for SEcurity IDentifier. The following connectors are based on different ways to build the SEID and obtain users. UVCS can use the following connectors to retrieve its user information: You can also change the authentication mode when you need to.

Local name

In the Local name mode, the UVCS server reads the local users' names from the machine it runs on. On startup, the UVCS server creates a list of known users and recalculates the list periodically. For the system to work correctly, you need to configure the UVCS clients to also use the Local Users mechanism. The client takes the name of its logged-on user and sends it to the server. This is the name that the server uses to check whether it is a known user, and then make security calculations. This system relies on the correct network configuration. You can use this mode on secured networks to configure a mixed Unix /Windows environment, depending, for example, on a NIS+ system. You can also use this mode to configure access from the Internet, provided that the server only allows trusted clients to connect.
  • The server retrieves the user list from the local machine users (both Unix and Windows operating systems). The server takes the current user for a Windows machine inside a domain if it’s not a local user.
  • The server builds the SEID with the user name.

Name and ID

Name and ID mode is identical to the Local name mode except it also uses the user ID.
  • The server retrieves the user list from the local machine users (both Unix and Windows operating systems). The server takes the current user for a Windows machine inside a domain if it’s not a local user.
  • The server builds the SEID with the user name and ID (user ID on Linux and SID on Windows).
This authentication mode works on non cross-platform systems such as Unix-Unix or Windows-Windows, but breaks under Windows-Unix platforms without a specific authentication mechanism. You can use this authentication method to work under NIS+ systems on Unix or under any other configuration as long as both systems share the same user name and ID.

LDAP

The LDAP security configuration mechanism allows interoperability with an LDAP environment.
  • The server obtains the user list from the LDAP server using a given user and password.
  • The server builds the SEID with the ID used by the concrete LDAP mechanism.
You can use the LDAP authentication mode to authenticate users against any kind of LDAP server. For example, you can use a Sun One or iPlanet LDAP server to authenticate Plastic SCM users. The LDAP mode works for mixed Windows and Unix environments. For example, you can connect UVCS to an Active Directory server when you connect from a Unix box where the integrated Active Directory mode is not available. You can configure the following settings in the server.conf file:
  • Timeout for the LDAP requests: The UVCS server can set a timeout for the LDAP requests (time in seconds). To set a timeout, use the 
    LdapTimeoutSeconds
    setting. For example: 
    <LdapTimeoutSeconds>10</LdapTimeoutSeconds>
    .
  • LDAP token expiration time: To configure the LDAP token expiration time, use the 
    LdapTokenExpirationTimeSpan
    setting. To set any expiration time, use the format 
    [d.]hh:mm:ss: \ <LdapTokenExpirationTimeSpan>05:00:00</LdapTokenExpirationTimeSpan>
    . By default, the expiration time is 1 hour.

Override for LDAP user filter

Enter the following to specify the filter override: 
<LdapSettings>    <MemberNameFilterOverride>_user_filter_</MemberNameFilterOverride></LdapSettings>
For example, LDAP setups without the UID attribute can use the following filter: 
(|(sAMAccountName={user})(cn={user}))
.

Active directory

With the Active Directory configuration mechanism, UVCS retrieves the user list from the current Active Directory main server and buils the SEID with a Windows SID. This authentication methods requires the server to run on Windows based operating systems. You can use Active Directory authentication in single domain or multi-domain environments. If you use UVCS in an Active Directory forest with multiple domains, you need to group usernames and groups that you enter in the 
DOMAIN\username
and 
DOMAIN\group
syntax.

Time to reload users and groups

By default, the Plastic server reloads the users and groups information from the authentication provider every five minutes. In the server.conf file, you can configure the 
ReloadUsersRefreshTimeSpan
setting. To configure the time, use the format: 
[d.]hh:mm:ss
. In this example, the user and group information refreshes every hour: 
<ReloadUsersRefreshTimeSpan>01:00:00</ReloadUsersRefreshTimeSpan>
.

Username and password

Username and password (UP) is the traditional authentication method, which allows you to define your own users and groups on the UVCS server. This method allows UVCS to work with an autonomous security mechanism. The UP mode can be the best option for many organizations that don't rely on systems like LDAP or Active Directory. The UVCS server obtains the list of users’ names from the 
users.conf
and the 
groups.conf
files in the server folder, and the authentication contains the username and encoded password. The UP authentication mode is appropriate for mixed Linux/Windows environments where LDAP or Active Directory integration isn’t an option. You can also use this authentication mode to manage access to your UVCS server on heterogeneous environments with no common user login among operating systems. In the UP mode, UVCS keeps a list of the users, and each user defines their password. UVCS also keeps groups as well as the relation between users and groups. The main difference between UP and the other authentication methods is, instead of relying on an external user and group provider, the UP authentication mode stores all its data into the following files: 
  • users.conf
    - Stores information about all the users and their encrypted passwords. The 
    users.conf
    file contains the definition of the users known to the system in user/password authentication mode. The format of the 
    users.conf
    file contains a list of the available users followed by their passwords. For example, 
    john:527bd5b5d689e2c32ae974c6229ff785
  • groups.conf
    - Stores all the available groups and the users they contain. The 
    groups.conf
    file has all the groups known to the Plastic system in user/password mode. The file is a list of the groups, each one followed by the names of the users or groups it contains. A group inside another group must be preceded by an 
    @
    symbol. In the following example, the 
    testers
    group is inside the 
    developers
    group: 
    developers:john:charlie:mike:@testers

Configure the UP mode

To configure the UP mode, use one of the following tools:

Use the Authentication configuration section from the UVCS Server Administration console

The User and password configuration section is a tool that you can use to configure the 
users.conf
and 
groups.conf
files. Administrators can use this tool to create users and groups, assign users to a specific group, change a user's password, and rename or delete users and groups. To configure the login and password, use the client configuration wizard. If the credentials don't match, a login screen pops up when the GUI client starts for you to enter the correct credentials.

Use the User management tool from the command line

umtool
is the server application command used to configure the users, groups, and their relationships and passwords from the operating system's console. For more information on each command, use
%serverinstalldir%/plasticd umtool help <command_name>
. Replace 
%serverinstalldir%
with your directory path. The 
umtool
implements several subcommands:

Subcommand name

Abbreviation

Description

addgrouptogroup
agtg
Add a new group into a group
addusertogroup
autg
Add a new user into a group
changeuserpassword
passwd
Change a user's password
creategroup
cg
Create a new Plastic SCM group
createuser
cu
Create a new Plastic SCM user
help
hlp
Show a command's help
listgroups
lg
Show a list with current Plastic SCM groups
listmembersfromgroup
lmfg
Show a list with members of a group
listusers
lu
Show a list with current Plastic SCM users
removegroup
rmg
Delete an existing Plastic SCM group
removegroupfromgroup
rmgfg
Delete a group from another group
removeuser
rmu
Delete an existing Plastic SCM user
removeuserfromgroup
rmufg
Delete a user from a group
renamegroup
rng
Rename an existing Plastic SCM group
renameuser
rnu
Rename an existing Plastic SCM user
The following are some examples:
  • Create a new user: 
    %serverinstalldir%/plasticd umtool cu maria
  • Create a new group: 
    %serverinstalldir%/plasticd umtool cg developers
  • Add a user to a group: 
    %serverinstalldir%/plasticd umtool addusertogroup maria developers
The UVCS server obtains the list of users’ names from the 
users.conf
and the 
groups.conf
files in the server folder, and the authentication contains the username and encoded password.