Active Directory Giving Binding Error
3,755 views
Skip to first unread message
Adam Rodger
May 4, 2012, 8:16:04 AM5/4/12
to Repo and Gerrit Discussion
I'm trying to set up Gerrit to use our corporate Active Directory for
authentication. I know plenty of people have managed to get this to
work but it just won't work for me.
If I run an ldapsearch command as follows I get the correct result, so
I know my LDAP strings are correct:
$ ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D
"CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword
"(sAMAccountName=adam)"
But using these same settings in my Gerrit config doesn't work:
[auth]
type = LDAP
[ldap]
server = ldap://myserver
accountBase = CN=Users,DC=mycompany,DC=com
groupBase = OU=Gerrit,DC=mycompany,DC=com
user = CN=adam,CN=Users,DC=mycompany,DC=com
password = mypassword
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
I get the following exception in etc/error_log when trying to
authenticate:
[2012-05-04 10:03:04,595] ERROR
com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece^@];
remaining name 'CN=Users,DC=mycompany,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2785)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:
412)
It looks like the binding doesn't work but I've tried changing the
username/password to all different formats then restarting Gerrit and
nothing seems to work. The settings do work using ldapsearch though.
I'm running on Turnkey Linux (cut down version of Ubuntu) in a
Virtualbox VM. My AD server is Windows 2003.
authentication. I know plenty of people have managed to get this to
work but it just won't work for me.
If I run an ldapsearch command as follows I get the correct result, so
I know my LDAP strings are correct:
$ ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D
"CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword
"(sAMAccountName=adam)"
But using these same settings in my Gerrit config doesn't work:
[auth]
type = LDAP
[ldap]
server = ldap://myserver
accountBase = CN=Users,DC=mycompany,DC=com
groupBase = OU=Gerrit,DC=mycompany,DC=com
user = CN=adam,CN=Users,DC=mycompany,DC=com
password = mypassword
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
I get the following exception in etc/error_log when trying to
authenticate:
[2012-05-04 10:03:04,595] ERROR
com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece^@];
remaining name 'CN=Users,DC=mycompany,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
2785)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:
412)
It looks like the binding doesn't work but I've tried changing the
username/password to all different formats then restarting Gerrit and
nothing seems to work. The settings do work using ldapsearch though.
I'm running on Turnkey Linux (cut down version of Ubuntu) in a
Virtualbox VM. My AD server is Windows 2003.
Shawn Pearce
May 4, 2012, 1:16:28 PM5/4/12
to Adam Rodger, Repo and Gerrit Discussion
On Fri, May 4, 2012 at 5:16 AM, Adam Rodger <adam....@gmail.com> wrote:
> I'm trying to set up Gerrit to use our corporate Active Directory for
> authentication. I know plenty of people have managed to get this to
> work but it just won't work for me.
...
> I'm trying to set up Gerrit to use our corporate Active Directory for
> authentication. I know plenty of people have managed to get this to
> work but it just won't work for me.
> [2012-05-04 10:03:04,595] ERROR
> com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
> autenticate user
> javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
> DSID-0C090627, comment: In order to perform this operation a
> successful bind must be completed on the connection., data 0, vece^@];
> remaining name 'CN=Users,DC=mycompany,DC=com'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
> 2978)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
> 2785)
> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:
> 412)
Is there a more complete stack trace available? I expected to see at
> com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
> autenticate user
> javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
> DSID-0C090627, comment: In order to perform this operation a
> successful bind must be completed on the connection., data 0, vece^@];
> remaining name 'CN=Users,DC=mycompany,DC=com'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
> 2978)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
> 2785)
> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:
> 412)
least some of our com.google.gerrit stack frames in here too, which
might give me a better idea of the operation we tried and why that
might fail given your config and AD server.
Michal Bergmann
May 6, 2012, 6:47:11 PM5/6/12
to repo-d...@googlegroups.com
Active Directory doesn't support anonymous connection, that means that you need to configure ldap.username and ldap.password
. Username format for AD is us...@mycompany.com
[ldap]
username=us...@mycompany.com
password=userpass
[ldap]
username=us...@mycompany.com
password=userpass
Remy Bohmer
May 7, 2012, 3:54:16 AM5/7/12
to Adam Rodger, Repo and Gerrit Discussion
Hi,
2012/5/4 Adam Rodger <adam....@gmail.com>:
Furthermore, in our ADS environment it turned out that binding on port
3268 is much easier, since it provides a simplified view on the ADS
forest. (Our corporate ADS forest is a huge set of many different ADS
domains in many different countries, in which we need to authenticate
worldwide)
So, these settings work in our case:
[ldap]
server = ldap://<server>:3268
username = LDAP-BIND-USER-DOMAIN\\ldap-bind-user
accountBase = DC=xxx,DC=net
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = ${givenName} ${sn}
accountSshUserName = ${sAMAccountName.toLowerCase}
accountMemberField = memberOf
groupBase = DC=xxx,DC=net
groupPattern = (&(objectClass=group)(cn=${groupname}))
groupMemberPattern =
Note: via gerrit installer, you can specify the password hidden, you
do not need to add it in plain text in the config file.
Furthermore, by using a LDAP browser you can actually see what you are
doing, (e.g. Softerra LDAP Browser)
Kind regards,
Remy
2012/5/4 Adam Rodger <adam....@gmail.com>:
> I'm trying to set up Gerrit to use our corporate Active Directory for
> authentication. I know plenty of people have managed to get this to
> work but it just won't work for me.
>
> If I run an ldapsearch command as follows I get the correct result, so
> I know my LDAP strings are correct:
>
> $ ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D
> "CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword
> "(sAMAccountName=adam)"
>
> But using these same settings in my Gerrit config doesn't work:
>
> [auth]
> type = LDAP
> [ldap]
> server = ldap://myserver
> accountBase = CN=Users,DC=mycompany,DC=com
> groupBase = OU=Gerrit,DC=mycompany,DC=com
> user = CN=adam,CN=Users,DC=mycompany,DC=com
> password = mypassword
> referral = follow
> accountPattern = (sAMAccountName=${username})
> groupPattern = (cn=${groupname})
> accountFullName = displayName
> accountMemberField = memberOf
> accountEmailAddress = mail
You need to specify a binding user and password.
> authentication. I know plenty of people have managed to get this to
> work but it just won't work for me.
>
> If I run an ldapsearch command as follows I get the correct result, so
> I know my LDAP strings are correct:
>
> $ ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D
> "CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword
> "(sAMAccountName=adam)"
>
> But using these same settings in my Gerrit config doesn't work:
>
> [auth]
> type = LDAP
> [ldap]
> server = ldap://myserver
> accountBase = CN=Users,DC=mycompany,DC=com
> groupBase = OU=Gerrit,DC=mycompany,DC=com
> user = CN=adam,CN=Users,DC=mycompany,DC=com
> password = mypassword
> referral = follow
> accountPattern = (sAMAccountName=${username})
> groupPattern = (cn=${groupname})
> accountFullName = displayName
> accountMemberField = memberOf
> accountEmailAddress = mail
Furthermore, in our ADS environment it turned out that binding on port
3268 is much easier, since it provides a simplified view on the ADS
forest. (Our corporate ADS forest is a huge set of many different ADS
domains in many different countries, in which we need to authenticate
worldwide)
So, these settings work in our case:
[ldap]
server = ldap://<server>:3268
username = LDAP-BIND-USER-DOMAIN\\ldap-bind-user
accountBase = DC=xxx,DC=net
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = ${givenName} ${sn}
accountSshUserName = ${sAMAccountName.toLowerCase}
accountMemberField = memberOf
groupBase = DC=xxx,DC=net
groupPattern = (&(objectClass=group)(cn=${groupname}))
groupMemberPattern =
Note: via gerrit installer, you can specify the password hidden, you
do not need to add it in plain text in the config file.
Furthermore, by using a LDAP browser you can actually see what you are
doing, (e.g. Softerra LDAP Browser)
Kind regards,
Remy
Shawn Pearce
May 7, 2012, 10:21:58 AM5/7/12
to Remy Bohmer, Adam Rodger, Repo and Gerrit Discussion
On Mon, May 7, 2012 at 12:54 AM, Remy Bohmer <li...@bohmer.net> wrote:
> Note: via gerrit installer, you can specify the password hidden, you
> do not need to add it in plain text in the config file.
That hidden password is actually just written to secure.config like:
> Note: via gerrit installer, you can specify the password hidden, you
> do not need to add it in plain text in the config file.
[ldap]
password = thehiddenpasswordyouthoughtwasprivatebutisreallystoredplaintext
The init code tries to make sure secure.config has UNIX permissions
0600 so its readable only by the Gerrit user. But its really storing
the password in plaintext.
There have been requests to store these sorts of values encrypted,
which is a nice idea, but the decryption key must still be available
somehow to the Gerrit user, so we haven't tried to implement that.
Luca Milanesio
May 7, 2012, 11:56:50 AM5/7/12
to Shawn Pearce, Remy Bohmer, Adam Rodger, Repo and Gerrit Discussion
I've got the encrypted secure config patch in my laptop ready to be discussed and finalised this week during the hacking session ;-)
Luca
---------
Sent from my iPhone
Luca Milanesio
+44-(0)7928 617383
Skype: lucamilanesio
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
Luca
---------
Sent from my iPhone
Luca Milanesio
+44-(0)7928 617383
Skype: lucamilanesio
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
Adam Rodger
May 7, 2012, 12:15:59 PM5/7/12
to Repo and Gerrit Discussion
Sorry guys, absolutely my fault here.
Take a look in my example config, I'm using ldap.user instead of
ldap.username as the setting name. Once I changed it to the correct
name my AD binding is working properly.
Might be a discussion point for the future, perhaps a warning printed
in the log on startup if there are any config settings that aren't
recognised?
Take a look in my example config, I'm using ldap.user instead of
ldap.username as the setting name. Once I changed it to the correct
name my AD binding is working properly.
Might be a discussion point for the future, perhaps a warning printed
in the log on startup if there are any config settings that aren't
recognised?
Reply all
Reply to author
Forward
0 new messages