ldap Included Groups doesn't seem to work

[Benjamin Copeland]

Hi Guys,

For some reason, when I add ldap/group_name the user isn't getting picked up.

This used to work so I can't think of a reason what would make it
stop. I have tested the LDAP settings work with a ldapsearch command
and they do.


[ldap]
server = ldaps://xxxx
username = cn=xxxx,ou=binders,dc=xxxx,dc=org
accountBase = ou=accounts,dc=xxxx,dc=org
groupBase = ou=groups,dc=xxxx,dc=org
referral = follow
accountPattern = (mail=${username})
accountSshUserName = uid
accountEmailAddress = mail
accountFullName = displayName
groupScope = subtree
groupMemberPattern = (memberUid=${uid})


Nothing seems to be coming up in log, however group names get
"suggested" so it seems to be talking to ldap okay.

Ben

[Gert van Dijk]

I guess Gerrit is unable to find members of the groups and thus not linking the user to the suggested ldap/<group>.

Perhaps this is an error?

groupMemberPattern = (memberUid=${uid})

where ${uid} is not documented for expansion. But ${username} is an email address in your case, so that would not work... Does (member=${dn}) work for your setup?

If it's more complicated: What kind of LDAP server are you using?
There are several settings controlling the default structures (memberOf attributes on users vs memberUid attributes on the groups). For me leaving everything at the default autodetected the type of LDAP server appropriately and everything worked.
You could try to remove the options referral, groupScope, groupMemberPattern and leave that to autodetect.

[Benjamin Copeland]

On 17 April 2018 at 14:49, Gert van Dijk <gert...@gmail.com> wrote:
> I guess Gerrit is unable to find members of the groups and thus not linking
> the user to the suggested ldap/<group>.
>
> Perhaps this is an error?
>
> groupMemberPattern = (memberUid=${uid})

When I do search on our security groups, I get:

dn: cn=systems,ou=security,ou=groups,dc=domain,dc=org
memberUid: ben.copeland

We use HTTP_LDAP for login.

accountSshUserName = uid

When I do a "user search" I get:

uid: ben.copeland
mail: ben.co...@domain.org

Login is done through email address, as per ${username} is expecting a
email address.

>
> where ${uid} is not documented for expansion. But ${username} is an email
> address in your case, so that would not work... Does (member=${dn}) work for
> your setup?
>
> If it's more complicated: What kind of LDAP server are you using?

We run OpenLDAP with security/mailing group approach.

> There are several settings controlling the default structures (memberOf
> attributes on users vs memberUid attributes on the groups). For me leaving
> everything at the default autodetected the type of LDAP server appropriately
> and everything worked.
> You could try to remove the options referral, groupScope, groupMemberPattern
> and leave that to autodetect.

I have tried removing these and still doesnt work.

>
>
>
> On Tuesday, 17 April 2018 15:26:50 UTC+2, Benjamin Copeland wrote:
>>
>> Hi Guys,
>>
>> For some reason, when I add ldap/group_name the user isn't getting picked
>> up.
>>
>> This used to work so I can't think of a reason what would make it
>> stop. I have tested the LDAP settings work with a ldapsearch command
>> and they do.
>>
>>
>> [ldap]
>> server = ldaps://xxxx
>> username = cn=xxxx,ou=binders,dc=xxxx,dc=org
>> accountBase = ou=accounts,dc=xxxx,dc=org
>> groupBase = ou=groups,dc=xxxx,dc=org
>> referral = follow
>> accountPattern = (mail=${username})
>> accountSshUserName = uid
>> accountEmailAddress = mail
>> accountFullName = displayName
>> groupScope = subtree
>> groupMemberPattern = (memberUid=${uid})
>>
>>
>> Nothing seems to be coming up in log, however group names get
>> "suggested" so it seems to be talking to ldap okay.
>>
>> Ben
>

> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Benjamin Copeland]

I have looked at the settings over and over again and cannot see where the problem is. My settings look correct.

[ldap]

        server = ldaps://login.example.org

        username = cn=git-private,ou=binders,dc=example,dc=org

        accountBase = ou=accounts,dc=example,dc=org

        groupBase = ou=groups,dc=example,dc=org

        referral = follow

        accountPattern = (mail=${username})

        accountSshUserName = uid

        accountEmailAddress = mail

        accountFullName = displayName

        groupScope = subtree

        groupMemberPattern = (memberUid=${uid})

Using ldap search on the user:

The fields I get back which are used above

mail = user...@example.org

uid = user.name

displayName = User Name

Any pointers? Nothing comes up in logs either.

For now I am having to directly write user names into groups for the ACL to work, since the users aren't being pulled from Included groups.

Ben

> To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to repo-discuss+unsubscribe@googlegroups.com.

[Doug Robinson]

Just a thought: does your LDAP LDIF actually have a "memberUid" attribute?  Are you using Active Directory as an LDAP source?

> To unsubscribe, email repo-discuss...@googlegroups.com

> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to repo-discuss...@googlegroups.com.

[Benjamin Copeland]

I fixed this by changing:

groupBase = ou=groups,dc=example,dc=org

to

groupBase = ou=security,ou=groups,dc=example,dc=org

Thanks for the help!

Ben

The LIVE DATA Company

Find out more wandisco.com

THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY AND MAY BE PRIVILEGED

If this message was misdirected, WANdisco, Inc. and its subsidiaries, ("WANdisco") does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this email message are the author's own and may not reflect the views and opinions of WANdisco, unless the author is authorized by WANdisco to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by WANdisco. Although WANdisco operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[Gert van Dijk]

Good to hear that you've managed to solve it! :-)

It sounds like Gerrit didn't actually search recursively (ldap.groupScope = subtree), even though you explicitly specified that. Sounds like a bug to me, to be honest.