Support multiple LDAP servers?

[Justin Georgeson]

We configure Unix-hosted services to connect to our AD controllers via LDAP, and have multiple servers to authenticate to (separate domains for internal vs external developers). Typically we do this by configuring two LDAP servers. The documented settings under ldap.* don't look they'd support multiple servers. Even assuming I can have each setting appear multiple times there would need to be a way to map the username, account*, group*, etc settings to a specific server. There's no partitioning of AD domains to projects (ie any given project can have both internal and external developers) so standing up separate Gerrit instances for each LDAP server would be impractical. We'd have to have full bi-directional sync between the projects in both instances.

[Luca Milanesio]

Hi Justin,

we at GerritForge developed an experimental multi-LDAP support … but we parked the change as a new auth-backend refactoring was planned.

At the moment, unless the two LDAP domains are linked into a forest, there is no way to resolve your problem with current Gerrit.

I can suggest the following “dirty-hack” / workaround:

a) NGINX serving incoming requests with LDAP authentication (see [1])

b) Configure Gerrit with HTTP authentication

Drawback: you would not be able to use two Group backends pointing to the two LDAP auth systems :-(

[1] https://github.com/kvspb/nginx-auth-ldap

HTH

Luca.

On 26 Jan 2015, at 16:16, Justin Georgeson <baron...@gmail.com> wrote:

We configure Unix-hosted services to connect to our AD controllers via LDAP, and have multiple servers to authenticate to (separate domains for internal vs external developers). Typically we do this by configuring two LDAP servers. The documented settings under ldap.* don't look they'd support multiple servers. Even assuming I can have each setting appear multiple times there would need to be a way to map the username, account*, group*, etc settings to a specific server. There's no partitioning of AD domains to projects (ie any given project can have both internal and external developers) so standing up separate Gerrit instances for each LDAP server would be impractical. We'd have to have full bi-directional sync between the projects in both instances.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Justin Georgeson]

Thanks. Is the refactoring part of 2.10 or is it planned for after that release?

I think we used to do something similar to the workaround with SVN+Apache, where Apache had all the LDAP config. The problems we had with that were every OU within a domain had to be configured separately (couldn't have a single server with the command base DN), and every modification required a restart of Apache. Does nginx handle it any better? 

[Luca Milanesio]

At least with NGINX you just need a reload … and current connections are not impacted :-)

I successfully configured multi-LDAP authentication, using different server types and backends.

Luca.

[Jan Kundrát]

On Monday, 26 January 2015 17:16:58 CEST, Justin Georgeson wrote:
> We configure Unix-hosted services to connect to our AD controllers via
> LDAP, and have multiple servers to authenticate to (separate domains for
> internal vs external developers).

One option is to use one more LDAP server and let it aggregate data from
all primary servers ("Virtual Directory", or OpenLDAP's slapd-meta
backend).

With kind regards,
Jan

--
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/