Hi,
2012/5/4 Adam Rodger <
adam....@gmail.com>:
> I'm trying to set up Gerrit to use our corporate Active Directory for
> authentication. I know plenty of people have managed to get this to
> work but it just won't work for me.
>
> If I run an ldapsearch command as follows I get the correct result, so
> I know my LDAP strings are correct:
>
> $ ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D
> "CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword
> "(sAMAccountName=adam)"
>
> But using these same settings in my Gerrit config doesn't work:
>
> [auth]
> type = LDAP
> [ldap]
> server = ldap://myserver
> accountBase = CN=Users,DC=mycompany,DC=com
> groupBase = OU=Gerrit,DC=mycompany,DC=com
> user = CN=adam,CN=Users,DC=mycompany,DC=com
> password = mypassword
> referral = follow
> accountPattern = (sAMAccountName=${username})
> groupPattern = (cn=${groupname})
> accountFullName = displayName
> accountMemberField = memberOf
> accountEmailAddress = mail
You need to specify a binding user and password.
Furthermore, in our ADS environment it turned out that binding on port
3268 is much easier, since it provides a simplified view on the ADS
forest. (Our corporate ADS forest is a huge set of many different ADS
domains in many different countries, in which we need to authenticate
worldwide)
So, these settings work in our case:
[ldap]
server = ldap://<server>:3268
username = LDAP-BIND-USER-DOMAIN\\ldap-bind-user
accountBase = DC=xxx,DC=net
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = ${givenName} ${sn}
accountSshUserName = ${sAMAccountName.toLowerCase}
accountMemberField = memberOf
groupBase = DC=xxx,DC=net
groupPattern = (&(objectClass=group)(cn=${groupname}))
groupMemberPattern =
Note: via gerrit installer, you can specify the password hidden, you
do not need to add it in plain text in the config file.
Furthermore, by using a LDAP browser you can actually see what you are
doing, (e.g. Softerra LDAP Browser)
Kind regards,
Remy