LDAP against AD fails me
2,776 views
Skip to first unread message
richard van beers
Apr 17, 2015, 11:06:10 AM4/17/15
to repo-d...@googlegroups.com
Hi,
I installed gerrit 2.10.2, and picked LDAP as authentication method as our company has a Active Directory domain. However I cannot login to gerrit on the webinterface.
Connecting to AD with ldapsearch works:
I have the feeling I am having issues with the correct format of the bind user as whatever I try, I get the following "bad credentials" error in gerrits error_log:
[2015-04-17 16:01:56,493] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
The relevant gerrit.config sections are:
[auth]
type = LDAP
[ldap]
server = ldap://mydcserver.nl.mycompany.com
username = cn=rbeers,cn=users,dc=nl,dc=mycompany,dc=com
accountBase = ou=users,dc=nl,dc=mycompany,dc=com
groupBase = ou=mycompany,ou=securitygroups,dc=nl,dc=mycompany,dc=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
groupMemberPattern = (sAMAccountName=${username})
Our AD structure is as follows:
AD Users and Comps
- nl.mycompany.com (domain)
- -Users (Container)
- -mycompany (OU)
- - -Users (OU)
- - -SecurityGroups (OU)
* Is the error in error_log pertaining to the bind user, or to the user trying to login to gerrit?
* What is the correct syntax for username? (I also tried rbe...@nl.mycompany.com same result)
* What is the correct syntax to feed the webform for username? rbeers, rbe...@nl.mycompany.com, or some "CN=rbeers.." syntax?
Thanks for any help,
Richard van Beers
I installed gerrit 2.10.2, and picked LDAP as authentication method as our company has a Active Directory domain. However I cannot login to gerrit on the webinterface.
Connecting to AD with ldapsearch works:
I have the feeling I am having issues with the correct format of the bind user as whatever I try, I get the following "bad credentials" error in gerrits error_log:
[2015-04-17 16:01:56,493] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
The relevant gerrit.config sections are:
[auth]
type = LDAP
[ldap]
server = ldap://mydcserver.nl.mycompany.com
username = cn=rbeers,cn=users,dc=nl,dc=mycompany,dc=com
accountBase = ou=users,dc=nl,dc=mycompany,dc=com
groupBase = ou=mycompany,ou=securitygroups,dc=nl,dc=mycompany,dc=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
groupMemberPattern = (sAMAccountName=${username})
Our AD structure is as follows:
AD Users and Comps
- nl.mycompany.com (domain)
- -Users (Container)
- -mycompany (OU)
- - -Users (OU)
- - -SecurityGroups (OU)
* Is the error in error_log pertaining to the bind user, or to the user trying to login to gerrit?
* What is the correct syntax for username? (I also tried rbe...@nl.mycompany.com same result)
* What is the correct syntax to feed the webform for username? rbeers, rbe...@nl.mycompany.com, or some "CN=rbeers.." syntax?
Thanks for any help,
Richard van Beers
Doug Kelly
Apr 17, 2015, 3:02:31 PM4/17/15
to repo-d...@googlegroups.com
The secret is in this line:
[2015-04-17 16:01:56,493] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
Error code 49 data 52e means "Invalid Credentials." (I usually look up the "data" number with AD because you can get statuses like "account locked" through this.)
Noting your configuration for ldap.username, I've found either specifying "user...@ad.domain.here" or "DOMAIN\username" are both valid (the second may take some extra escaping for that slash!), and make sure your secure.config (etc/secure.config) has the ldap.password set as well, if you don't allow anonymous bind.
Good luck!
Doug
richard van beers
Apr 20, 2015, 3:54:22 AM4/20/15
to repo-d...@googlegroups.com
Thanks!
Gr RichardvB
Escaping the slash as in:
DOMAIN\\Username did the trick,
Gr RichardvB
Reply all
Reply to author
Forward
0 new messages