Problems with configure Gerrit to use LDAP

[Baz]

Hi,

 

I am having problems with using Gerrit with LDAP. This is my first time configuring gerrit, can someone help?

 

Thanks.

 

B.

 

Here are the details:

 

Userid format: FIRST_NAME.LAST_NAME

 

Email format: FIRST_NAME.LAST_NAME@company_name.com

 

Gerrit configuration file, etc/gerrit.config:

[gerrit]

        basePath = git

        canonicalWebUrl = http://machine_name.company_name.com:8080/

[database]

        type = H2

        database = db/ReviewDB

[auth]

        type = LDAP

[ldap]

        server = LDAP_host.company_name.com

        accountBase = ou=people,dc=company_name,dc=com

        accountPattern = (&(objectClass=person)(uid=${givenName}.${SN}))

        accountFullName = displayName

        accountEmailAddress = mail

        groupBase = ou=groups,dc=company_name,dc=com

        groupMemberPattern = (&(objectClass=group_(member=${dn}))

[sendemail]

        smtpServer = localhost

[container]

        user = gerrit2

        javaHome = /usr/lib/jvm/java-6-openjdk/jre

[sshd]

        listenAddress = *:29418

[httpd]

        listenUrl = http://*:8080/

[cache]

        directory = cache

 

 

Errors from error_log:

[2011-07-11 11:25:10,061] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to

autenticate user

javax.naming.NamingException: Cannot parse url: PLMDC01.plasticlogic.com [Root exception is java.net

.MalformedURLException: Invalid URI: PLMDC01.plasticlogic.com]

        at com.sun.jndi.ldap.LdapURL.<init>(LdapURL.java:95)

        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:164)

        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)

        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)

        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)

        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)

        at javax.naming.InitialContext.init(InitialContext.java:240)

        at javax.naming.InitialContext.<init>(InitialContext.java:214)

        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)

        at com.google.gerrit.server.auth.ldap.Helper.open(Helper.java:86)

        at com.google.gerrit.server.auth.ldap.LdapRealm.authenticate(LdapRealm.java:190)

        at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:106)

        at com.google.gerrit.httpd.auth.ldap.UserPassAuthServiceImpl.authenticate(UserPassAuthServic

eImpl.java:58)

[Magnus Bäck]

On Monday, July 11, 2011 at 20:29 CEST,
Baz <bazt...@gmail.com> wrote:

> I am having problems with using Gerrit with LDAP. This is my first
> time configuring gerrit, can someone help?

[...]

> [ldap]
> server = LDAP_host.company_name.com

According to the documentation this must be one of the following:

server = ldap://LDAP_host.company_name.com
server = ldaps://LDAP_host.company_name.com

http://gerrit.googlecode.com/svn/documentation/2.1/config-gerrit.html#ldap

--
Magnus Bäck Opinions are my own and do not necessarily
SW Configuration Manager represent the ones of my employer, etc.
Sony Ericsson

[Baz]

Anyone have any ideas?

[Magnus Bäck]

On Friday, July 15, 2011 at 18:50 CEST,
Baz <bazt...@gmail.com> wrote:

> Anyone have any ideas?

Again, I did respond to your question. I don't know why you keep missing
my replies.

[Baz]

Magnus, so sorry, I missed that again :) Did you reply to me privately? I cannot find your reply from the gmail inbox. Would you please resend your reply?

[Magnus Bäck]

On Friday, July 15, 2011 at 20:21 CEST,
Baz <bazt...@gmail.com> wrote:

> Magnus, so sorry, I missed that again :) Did you reply to me privately?

No, I sent it to the list address only.

> I cannot find your reply from the gmail inbox. Would you please resend
> your reply?

You can find it in the list archives.

[Baz]

Magnus, would you mind resending your reply? Thanks. B.

[Ragesh Nair]

http://groups.google.com/group/repo-discuss/browse_thread/thread/98d62a299d6056dd?pli=1

You should be able to search and find it .... the above link has it I guess....

-Ragesh Nair

--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

[Baz]

All, so i tried "ldap" and "ldaps", both with different error output. What do i need to go from there? I am going to confirm this with IT, but do i need the machine to be on domain in order to query LDAP? How can i resolved the errors? Thanks. B.

 

With "ldap://":

[2011-07-18 11:21:26,035] INFO  com.google.gerrit.pgm.Daemon : Gerrit Code Review 2.2.1 ready

[2011-07-18 11:22:29,394] WARN  com.google.gerrit.server.auth.ldap.LdapRealm : Cannot discover type

of LDAP server at ldap://PLMDC01.plasticlogic.com, assuming the server is RFC 2307 compliant.

javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In or

der to perform this operation a successful bind must be completed on the connection., data 0, vece ]

; remaining name ''

        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)

        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1322)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:231

)

 

With "ldaps://":

[2011-07-18 11:29:22,079] INFO  com.google.gerrit.pgm.Daemon : Gerrit Code Review 2.2.1 ready

[2011-07-18 11:29:48,711] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to

autenticate user

javax.naming.CommunicationException: anonymous bind failed: PLMDC01.plasticlogic.com:636 [Root excep

tion is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path bu

ilding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid cert

ification path to requested target]

        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:194)

        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)

        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)

[Baz]

Yes, we are using ActiveDirectory but using LDAP to get information from ActiveDirectory (?)

 

I just asked around and got hold of the username and password, restart gerrit and try to access it, the error is now:

 

[2011-07-18 13:34:53,745] INFO com.google.gerrit.pgm.Daemon : Gerrit Code Review 2.2.1 ready

[2011-07-18 13:35:52,057] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user

javax.naming.CommunicationException: simple bind failed: gerrit_host.company_name.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)

Any idea?

 

On Mon, Jul 18, 2011 at 1:17 PM, Richard Bywater <ric...@byh2o.com> wrote:

 

Are you using ActiveDirectory? If so, I believe by default it doesn't support anonymous binds so specifying a username/password that is on the domain might get you up and running.

 

Richard.

 

 

[Baz]

Once I added "sslVerify = false", the errors become:

[2011-07-18 14:27:22,958] INFO com.google.gerrit.pgm.Daemon : Gerrit Code Review 2.2.1 ready

[2011-07-18 14:27:55,962] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=plasticlogic,DC=com'

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2811)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)

at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:147)

at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:216)

 

 

[Baz]

What does "referral = follow" do? (I think I can look up google...) Once I addeded this in to gerrit.config, the error is gone, BUT the login still does not work. No errors at all, why?

On Mon, Jul 18, 2011 at 4:48 PM, Richard Bywater <ric...@byh2o.com> wrote:

You'll want to add "referral = follow" to your LDAP section...

Richard.

[Baz]

I looked up the "referral = follow", I added a query in the username field and also changed to use "sAMAccountName" again (which i have used before but didn't work)... These changes seem to work. In case anyone want to take a look at my ldap configration, here it is...

 

Thank you for everyone in helping. B.

[auth]

type = LDAP

[ldap]

server = ldap://gerrit_host.company_name.com

username = CN=username,OU=Service Accounts,OU=Users,OU=Ipswich,OU=UK,DC=company_name,DC=com

password = password

accountBase = DC=company_name,DC=com

accountScope = subtree

accountPattern = (&(objectClass=user)(sAMAccountName=${username}))

groupBase = DC=company_name,DC=com

accountFullName = displayName

sslVerify = false

referral = follow