Authentication configuration

Use the authentication section of the server administration console to configure the authentication mode that your Unity Version Control (UVCS) clients use.

A UVCS client communicates security information to the server for validation. The basic token sent from client to server is called SEID, short for SEcurity IDentifier. The following connectors are based on different ways to build the SEID and obtain users.

UVCS can use the following connectors to retrieve its user information:

You can also change the authentication mode when you need to.

Local name

In the Local name mode, the UVCS server reads the local users' names from the machine it runs on. On startup, the UVCS server creates a list of known users and recalculates the list periodically.

For the system to work correctly, you need to configure the UVCS clients to also use the Local Users mechanism. The client takes the name of its logged-on user and sends it to the server. This is the name that the server uses to check whether it is a known user, and then make security calculations.

This system relies on the correct network configuration. You can use this mode on secured networks to configure a mixed Unix /Windows environment, depending, for example, on a NIS+ system. You can also use this mode to configure access from the Internet, provided that the server only allows trusted clients to connect.

  • The server retrieves the user list from the local machine users (both Unix and Windows operating systems). The server takes the current user for a Windows machine inside a domain if it’s not a local user.
  • The server builds the SEID with the user name.

Name and ID

Name and ID mode is identical to the Local name mode except it also uses the user ID.

  • The server retrieves the user list from the local machine users (both Unix and Windows operating systems). The server takes the current user for a Windows machine inside a domain if it’s not a local user.
  • The server builds the SEID with the user name and ID (user ID on Linux and SID on Windows).

This authentication mode works on non cross-platform systems such as Unix-Unix or Windows-Windows, but breaks under Windows-Unix platforms without a specific authentication mechanism.

You can use this authentication method to work under NIS+ systems on Unix or under any other configuration as long as both systems share the same user name and ID.

LDAP

The LDAP security configuration mechanism allows interoperability with an LDAP environment.

  • The server obtains the user list from the LDAP server using a given user and password.
  • The server builds the SEID with the ID used by the concrete LDAP mechanism.

You can use the LDAP authentication mode to authenticate users against any kind of LDAP server. For example, you can use a Sun One or iPlanet LDAP server to authenticate Plastic SCM users.

The LDAP mode works for mixed Windows and Unix environments. For example, you can connect UVCS to an Active Directory server when you connect from a Unix box where the integrated Active Directory mode is not available.

You can configure the following settings in the server.conf file:

  • Timeout for the LDAP requests: The UVCS server can set a timeout for the LDAP requests (time in seconds). To set a timeout, use the LdapTimeoutSeconds setting. For example: <LdapTimeoutSeconds>10</LdapTimeoutSeconds>.
  • LDAP token expiration time: To configure the LDAP token expiration time, use the LdapTokenExpirationTimeSpan setting. To set any expiration time, use the format [d.]hh:mm:ss: \ <LdapTokenExpirationTimeSpan>05:00:00</LdapTokenExpirationTimeSpan>. By default, the expiration time is 1 hour.

Override for LDAP user filter

[!IMPORTANT]: Warning: This is considered an advanced level feature to be used ideally after consultation with our Support team. To support LDAP setups that are not compatible with our default LDAP user search filters, you can use the limited ability to override the filter with a user-specified filter. Use the MemberNameFilterOverride setting.

Enter the following to specify the filter override:

<LdapSettings>
    <MemberNameFilterOverride>_user_filter_</MemberNameFilterOverride>
</LdapSettings>

For example, LDAP setups without the UID attribute can use the following filter: (|(sAMAccountName={user})(cn={user})).

Active directory

With the Active Directory configuration mechanism, UVCS retrieves the user list from the current Active Directory main server and buils the SEID with a Windows SID. This authentication methods requires the server to run on Windows based operating systems.

You can use Active Directory authentication in single domain or multi-domain environments. If you use UVCS in an Active Directory forest with multiple domains, you need to group usernames and groups that you enter in the DOMAIN\username and DOMAIN\group syntax.

Time to reload users and groups

By default, the Plastic server reloads the users and groups information from the authentication provider every five minutes.

In the server.conf file, you can configure the ReloadUsersRefreshTimeSpan setting. To configure the time, use the format: [d.]hh:mm:ss.

In this example, the user and group information refreshes every hour: <ReloadUsersRefreshTimeSpan>01:00:00</ReloadUsersRefreshTimeSpan>.

Username and password

Username and password (UP) is the traditional authentication method, which allows you to define your own users and groups on the UVCS server. This method allows UVCS to work with an autonomous security mechanism. The UP mode can be the best option for many organizations that don't rely on systems like LDAP or Active Directory. The UVCS server obtains the list of users’ names from the users.conf and the groups.conf files in the server folder, and the authentication contains the username and encoded password.

The UP authentication mode is appropriate for mixed Linux/Windows environments where LDAP or Active Directory integration isn’t an option. You can also use this authentication mode to manage access to your UVCS server on heterogeneous environments with no common user login among operating systems.

In the UP mode, UVCS keeps a list of the users, and each user defines their password. UVCS also keeps groups as well as the relation between users and groups.

The main difference between UP and the other authentication methods is, instead of relying on an external user and group provider, the UP authentication mode stores all its data into the following files:

  • users.conf - Stores information about all the users and their encrypted passwords. The users.conf file contains the definition of the users known to the system in user/password authentication mode. The format of the users.conf file contains a list of the available users followed by their passwords. For example, john:527bd5b5d689e2c32ae974c6229ff785
  • groups.conf - Stores all the available groups and the users they contain. The groups.conf file has all the groups known to the Plastic system in user/password mode. The file is a list of the groups, each one followed by the names of the users or groups it contains. A group inside another group must be preceded by an @ symbol. In the following example, the testers group is inside the developers group: developers:john:charlie:mike:@testers

Configure the UP mode

To configure the UP mode, use one of the following tools:

Use the Authentication configuration section from the UVCS Server Administration console

The User and password configuration section is a tool that you can use to configure the users.conf and groups.conf files. Administrators can use this tool to create users and groups, assign users to a specific group, change a user's password, and rename or delete users and groups.

To configure the login and password, use the client configuration wizard.

If the credentials don't match, a login screen pops up when the GUI client starts for you to enter the correct credentials.

Use the User management tool from the command line

umtool is the server application command used to configure the users, groups, and their relationships and passwords from the operating system's console.

For more information on each command, use%serverinstalldir%/plasticd umtool help <command_name>. Replace %serverinstalldir% with your directory path.

The umtool implements several subcommands:

Subcommand nameAbbreviationDescription
addgrouptogroupagtgAdd a new group into a group
addusertogroupautgAdd a new user into a group
changeuserpasswordpasswdChange a user's password
creategroupcgCreate a new Plastic SCM group
createusercuCreate a new Plastic SCM user
helphlpShow a command's help
listgroupslgShow a list with current Plastic SCM groups
listmembersfromgrouplmfgShow a list with members of a group
listusersluShow a list with current Plastic SCM users
removegrouprmgDelete an existing Plastic SCM group
removegroupfromgrouprmgfgDelete a group from another group
removeuserrmuDelete an existing Plastic SCM user
removeuserfromgrouprmufgDelete a user from a group
renamegrouprngRename an existing Plastic SCM group
renameuserrnuRename an existing Plastic SCM user

The following are some examples:

  • Create a new user: %serverinstalldir%/plasticd umtool cu maria
  • Create a new group: %serverinstalldir%/plasticd umtool cg developers
  • Add a user to a group: %serverinstalldir%/plasticd umtool addusertogroup maria developers

The UVCS server obtains the list of users’ names from the users.conf and the groups.conf files in the server folder, and the authentication contains the username and encoded password.

Unity logo Documentation
Copyright © 2025 Unity Technologies
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.