LDAP user unable to Login - Cannot assign external ID

84 views
Skip to first unread message

Mk

unread,
May 27, 2020, 2:33:10 AM5/27/20
to Repo and Gerrit Discussion
Gerrit Version - 2.14 and LDAP Authentication is configured.

One of our user unable to login to gerrit, From server error_log it shows below.


[2020-05-27 14:27:19,896] [HTTP-526978] INFO  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'ashok.kumar' failed to sign in: Cannot assign external ID "gerrit:ashok.kumar" to account 7867871; external ID already in use.

From the below API i could able to retrieve the user details but external.ids not retrieving details from user account.

'GET /accounts/{account-id}'
GET /accounts/ashok.kumar/detail
{
  "registered_on": "2016-08-24 02:47:07.709000000",
  "_account_id": 124854,
  "name": "Ashok Kumar",
  "email": "ashok...@company.com",
  "secondary_emails": [],
  "username": "ashok.kumar"
}

GET /accounts/ashok.kumar/external.ids
not allowed to get external IDs

Can you please advise to solve this issue?

Matthias Sohn

unread,
May 27, 2020, 2:57:25 AM5/27/20
to Mk, Repo and Gerrit Discussion
There seems to be another gerrit account using the same name (maybe also email address).
Check using sql query on the account_external_ids table (not sure about exact table name in 2.14,
we don't run such old version anymore).

You can use the gsql command [1] to query database tables:
$ ssh -p 29418 <gerrit host> gerrit gsql

to get schema information type 
\d 

to get details for a table use
\d <table name>

and of course you can run queries like
select * from account_external_ids where name='john.doe";


--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/37c38615-7e37-44c1-bf4c-c4b5ee544c66%40googlegroups.com.

Mk

unread,
May 27, 2020, 3:43:49 AM5/27/20
to Repo and Gerrit Discussion
We are using Oracle database from another server. the below command is not working. Does this gsql supports Oracle database?

gerrit> select * from account_external_ids where name='ashok.kumar';
ERROR: ORA-00933: SQL command not properly ended



To unsubscribe, email repo-d...@googlegroups.com


More info at http://groups.google.com/group/repo-discuss?hl=en



--- 

You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-d...@googlegroups.com.
Matthias Sohn
unread,
May 27, 2020, 7:41:34 AM5/27/20
to Mk, Repo and Gerrit Discussion
I think it should be supported since these commands go through the gwtorm OR mapper.
Maybe Oracle doesn't like the trailing semicolon ?



To unsubscribe, email repo-discuss...@googlegroups.com


More info at http://groups.google.com/group/repo-discuss?hl=en



--- 

You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/6c9ec9a3-216a-43e9-ade7-d3a8fa731aae%40googlegroups.com.




Mk
unread,
May 29, 2020, 1:30:12 AM5/29/20
to Repo and Gerrit Discussion
Hi Matthias,

Is there any other way to fix this issue? Bcoz it seems some compatibility issue may be there with gerrit gsql. Commands are not working and i don't have access to oracle database which is hosted in another server.
Matthias Sohn
unread,
May 29, 2020, 3:10:21 AM5/29/20
to Mk, Repo and Gerrit Discussion
Did you assign the global capability "access database" to your user ?

Screenshot 2020-05-29 at 08.58.48.png

here is an example how to list the database schema and select from the accounts_external_ids table using gsql
and a test site using an H2 database :

$ ssh -p 29418 admin@localhost gerrit gsql
Welcome to Gerrit Code Review 2.14.20
(H2 1.3.176 (2014-04-05))

Type '\h' for help.  Type '\r' to clear the buffer.

gerrit> \d
                     List of relations
 TABLE_SCHEM | TABLE_NAME                  | TABLE_TYPE
 ------------+-----------------------------+-----------
 PUBLIC      | ACCOUNTS                    | TABLE
 PUBLIC      | ACCOUNT_EXTERNAL_IDS        | TABLE
 PUBLIC      | ACCOUNT_GROUPS              | TABLE
 PUBLIC      | ACCOUNT_GROUP_BY_ID         | TABLE
 PUBLIC      | ACCOUNT_GROUP_BY_ID_AUD     | TABLE
 PUBLIC      | ACCOUNT_GROUP_MEMBERS       | TABLE
 PUBLIC      | ACCOUNT_GROUP_MEMBERS_AUDIT | TABLE
 PUBLIC      | ACCOUNT_GROUP_NAMES         | TABLE
 PUBLIC      | CHANGES                     | TABLE
 PUBLIC      | CHANGE_MESSAGES             | TABLE
 PUBLIC      | PATCH_COMMENTS              | TABLE
 PUBLIC      | PATCH_SETS                  | TABLE
 PUBLIC      | PATCH_SET_APPROVALS         | TABLE
 PUBLIC      | SCHEMA_VERSION              | TABLE
 PUBLIC      | SYSTEM_CONFIG               | TABLE

gerrit> select * from ACCOUNT_EXTERNAL_IDS;
 ACCOUNT_ID | EMAIL_ADDRESS     | PASSWORD                                                           | EXTERNAL_ID
 -----------+-------------------+--------------------------------------------------------------------+-------------------------
 1000000    | ad...@example.com | NULL                                                               | mailto:ad...@example.com
 1000000    | NULL              | bcrypt:<redacted> | username:admin

If this doesn't work for you, you can try to use an Oracle database command line client or
ask your database administrator for help.

You should consider to upgrade to a supported version, version 2.14 is out of maintenance since quite some time [1].
At least you should ensure you are using the latest 2.14.20 service release [2].
Latest release is currently 3.1.5 [3] and 3.2 will be released next week.


-Matthias


To unsubscribe, email repo-discuss...@googlegroups.com


More info at http://groups.google.com/group/repo-discuss?hl=en



--- 

You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/98bfee48-ea72-48d6-834e-9e59bd8d47a8%40googlegroups.com.




Mk
unread,
May 29, 2020, 3:45:53 AM5/29/20
to Repo and Gerrit Discussion
Hi Matthias,

Ok sure.we will upgrade to latest version soon. Now with gsql itself able to get the below details.

REGISTERED_ON           | FULL_NAME    | PREFERRED_EMAIL        | INACTIVE | ACCOUNT_ID | STATUS
 ------------------------+--------------+---------------------+----------+------------+-------
 2016-12-24 12:23:07.604 | Ashok Kumar | ashok.kumar@company.com | N        | 124854     | NULL
(1 row; 3 ms)

ACCOUNT_ID | EMAIL_ADDRESS       | PASSWORD                                                  | EXTERNAL_ID
-----------+---------------------+--------------------------------------------------------------------+--------
 124854    | ashok.kumar@samsung.com | NULL                                                  | gerrit:ashok.kumar
 124854    | NULL                    | bcrypt:4:asdfsdfgU6dafdasf==:UKDAFadfdfdf/7Dtc0q      | username:ashok.kumar
(2 rows; 6 ms)


It seems no issue with the account settings side. i have checked in DB that there is no duplicate account/ID. 
Mk
unread,
May 29, 2020, 4:10:20 AM5/29/20
to Repo and Gerrit Discussion
Problem fixed after running account index. Thank you so much for your continue support on this issue.

POST /accounts/124854/index


Reply all
Reply to author
Forward
0 new messages