2.0.21 / LDAP Groups
Anthony
gitosis for access and hand setting what is now pulled from LDAP. It
seems to be working for getting information about my user, downloading
changes, etc., but groups don't seem to be getting pulled. I'm not
sure what I should expect to see.
Should Settings->Groups show all of my LDAP groups? Should Admin-
>Projects->Access let me autocomplete LDAP group entries?
I don't see any errors from the Gerrit log file, but I suspect that it
isn't pulling correctly.
[gerrit]
basepath = /data/gerrit/repositories
canonicalWebUrl = http://10.35.11.21:8081/code-review/
[user]
name = Gerrit Code Review
[auth]
type = HTTP_LDAP
[repo]
showdownloadcommand = true
[gitweb]
url = https://xxx/git-web/gitweb.cgi
[ldap]
server = ldap://user@xxx
username = user@xxx
password = pass
#
accountBase = DC=ad,DC=xxx,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=$
{username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
#
groupBase = DC=ad,DC=xxx,DC=com
groupMemberPattern = (&(objectClass=group)(member=${dn}))
groupName = cn
How can I do the equivalent ldapsearch command to check it? I'm not
very familiar with LDAP. I've been trying to do commands like "(&
(objectClass=group)(member=N*))" but whenever I put anything anything
beside member=*, I get no results.
Thanks
Shawn Pearce
> Should Settings->Groups show all of my LDAP groups?
No, it only shows groups which exist in the SQL database. I think the
step you are missing here is you need to insert the group manually
into the database, e.g.:
INSERT INTO account_groups (
owner_group_id,
group_id,
description,
automatic_membership,
name)
VALUES (
(SELECT admin_group_id FROM system_config),
nextval('account_group_id'),
'Imported from LDAP',
'Y',
'developers');
> Should Admin-
>>Projects->Access let me autocomplete LDAP group entries?
Yes, once the account_group record is created as above.
> groupBase = DC=ad,DC=xxx,DC=com
> groupMemberPattern = (&(objectClass=group)(member=${dn}))
> groupName = cn
>
> How can I do the equivalent ldapsearch command to check it? I'm not
> very familiar with LDAP. I've been trying to do commands like "(&
> (objectClass=group)(member=N*))" but whenever I put anything anything
> beside member=*, I get no results.
ldapsearch -b DC=ad,DC=xxx,DC=com '(&(objectClass=group)(member=DN))'
where DN is the distinguishedName obtained from your user account,
which can get by doing a query for that first:
ldapsearch -b DC=ad,DC=xxx,DC=com '
(&(objectClass=person)(sAMAccountName=USERNAME))'
Shawn Pearce
>
> Should "developers" ("name" column) be the "cn" from LDAP?
Yes. Its the value which is stored in the property named by ldap.groupName.
> I get:
> 2009-09-25 12:00:48,114::WARN :
> com.google.gerrit.server.ldap.LdapRealm - Group "#ENG - Handset - SW
> - Product - MANAGERNAME" not found in LDAP.
>
> It seems like LdapRealm.java is trying to load from an attribute
> titled "groupName", but I don't think I have that.
That query was supposed to be:
-b "dc=ad,dc=xxx,dc=com" -s sub "(cn=#ENG - Handset - SW - Product -
MANAGERNAME)"
But its returning no results? Did you typo the group name?
> It would be useful to have this information near the ldap
> configuration in the documentation, imo. I'll try to get some time to
> add that later, once I get this working. (Or maybe I just missed it
> and it is somewhere else)
Yes, that section could use more details, including examples for
popular directory servers, like *cough*ActiveDirectory*cough*. I
would greatly appreciate any help you can offer to provide more
detailed documentation.
Anthony
Last question about this, I promise: searching for members doesn't
seem to work for me, and I assumed I was just doing some syntax wrong,
but it looks like Gerrit doesn't find them either. I can go to Admin-
>Groups and see the LDAP information about the group I added, but if I
go to Settings->Groups, I don't see myself in it.
I do:
-b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=person)
(samaccountname=LASTNAME))"
and my DN shows as:
dn: CN=LASTNAME\, FIRSTNAME,OU=Users,OU=FOO,DC=ad,DC=xxx,DC=com
so, then I try:
-b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=group)
(member=CN=LASTNAME, FIRSTNAME,OU=Users,OU=FOO,DC=ad,DC=xxx,DC=com))"
and get no results.
-b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=group)(member=*)"
gives me all results
-b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=group)(member=*N*)"
gives me no results
I've been reading several ldap tutorials, and a lot of them seem to
use member= to query similarly to how I'm doing it, so I don't know
what's different in my situation.
I also tried removing DC=ad,DC=xxx,DC=com from my DN search, since it
was already part of the base, but that didn't help.
Thanks
On Sep 25, 12:19 pm, Shawn Pearce <s...@google.com> wrote:
Shawn Pearce
> Last question about this, I promise: searching for members doesn't
> seem to work for me, and I assumed I was just doing some syntax wrong,
> but it looks like Gerrit doesn't find them either. I can go to Admin-
>>Groups and see the LDAP information about the group I added, but if I
> go to Settings->Groups, I don't see myself in it.
>
> I do:
> -b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=person)
> (samaccountname=LASTNAME))"
> and my DN shows as:
> dn: CN=LASTNAME\, FIRSTNAME,OU=Users,OU=FOO,DC=ad,DC=xxx,DC=com
>
> so, then I try:
> -b "DC=ad,DC=xxx,DC=com" -s sub "(&(objectClass=group)
> (member=CN=LASTNAME, FIRSTNAME,OU=Users,OU=FOO,DC=ad,DC=xxx,DC=com))"
If the user DN has an embedded comma, escape it with the backslach "\"
escape character. For example:
'(&(objectCategory=group)(member=cn=Smith\,
James,ou=Sales,ou=West,dc=MyDomain,dc=com))'
The thing is, you have Gerrit configured right it seems:
groupMemberPattern = (&(objectClass=group)(member=${dn}))
So I'm confused. I don't see why it wouldn't be able to query the
directory. ActiveDirctory is a royal pain in the neck. If someone
manages to get this working right against ActiveDirectory it might be
nice if we could code some defaults into Gerrit and simplify the LDAP
configuration for AD users, like have a "ldap.type ActiveDirectory"
setting or something that picks up the right defaults for the patterns
and attribute names.
Shawn Pearce
>> > I also noticed that the "automatic_membership" column isn't referenced
>> > in any of the current Gerrit code. Is this just unused now?
>>
>> No, it is used.
>
> I suppose it doesn't matter much since I know the location of my
> problem, but I really don't think it is being used. I checked out all
> of the Gerrit-related repositories, and there is no reference to it
> anywhere except the update SQL and docs:
Its used camelCaseAsAProperty:
$ git grep -i automaticMembership
src/main/java/com/google/gerrit/client/admin/AccountGroupScreen.java:
if (group.isAutomaticMembership()) {
src/main/java/com/google/gerrit/client/reviewdb/AccountGroup.java:
protected boolean automaticMembership;
src/main/java/com/google/gerrit/client/reviewdb/AccountGroup.java:
public boolean isAutomaticMembership() {
src/main/java/com/google/gerrit/client/reviewdb/AccountGroup.java:
return automaticMembership;
src/main/java/com/google/gerrit/client/reviewdb/AccountGroup.java:
public void setAutomaticMembership(final boolean auto) {
src/main/java/com/google/gerrit/client/reviewdb/AccountGroup.java:
automaticMembership = auto;
src/main/java/com/google/gerrit/server/account/GroupCacheImpl.java:
g.setAutomaticMembership(true);
src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java:
anonymous.setAutomaticMembership(true);
src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java:
registered.setAutomaticMembership(true);
src/main/java/com/google/gerrit/server/ldap/LdapRealm.java: return
group.isAutomaticMembership()
src/main/java/com/google/gerrit/server/rpc/account/GroupAdminServiceImpl.java:
if (control.getAccountGroup().isAutomaticMembership()) {
src/main/java/com/google/gerrit/server/rpc/account/GroupAdminServiceImpl.java:
if (control.getAccountGroup().isAutomaticMembership()) {
src/main/java/com/google/gerrit/server/rpc/account/GroupDetailFactory.java:
if (!group.isAutomaticMembership()) {
The name automaticMembership is mapped into the database as
automatic_membership. :-)
Anthony
2009-09-25 12:00:48,114::WARN :
com.google.gerrit.server.ldap.LdapRealm - Group "#ENG - Handset - SW
- Product - MANAGERNAME" not found in LDAP.
It seems like LdapRealm.java is trying to load from an attribute
titled "groupName", but I don't think I have that.
ldapsearch -x -LLL -h ldap.ad.xxx.com -D user...@ad.xxx.com -w
readonly -b "dc=ad,dc=xxx,dc=com" -s sub "(&(objectClass=group)
(displayName=*MANAGERNAME*))"
It would be useful to have this information near the ldap
configuration in the documentation, imo. I'll try to get some time to
add that later, once I get this working. (Or maybe I just missed it
and it is somewhere else)
On Sep 25, 11:38 am, Shawn Pearce <s...@google.com> wrote:
Anthony
formatted incorrectly.
I think what may be required is to query for the "memberOf" field for
users instead of querying for groups that that use is a member
of...e.g.:
$ ldapsearch -x -h ldap.ad.xxx.com -D ldap...@ad.xxx.com -w readonly
"(CN=LN, FN)" memberOf
Will give me all of the groups I'm a member of.
I'm going to try changing this in Gerrit.
Part of the problem is that I've never seen it work correctly, so I'm
probably not looking for the right signs, either. I don't see any
error message from Gerrit, but I don't see any users in the group.
I also noticed that the "automatic_membership" column isn't referenced
in any of the current Gerrit code. Is this just unused now?
Shawn Pearce
> I think what may be required is to query for the "memberOf" field for
> users instead of querying for groups that that use is a member
> of...e.g.:
> $ ldapsearch -x -h ldap.ad.xxx.com -D ldap...@ad.xxx.com -w readonly
> "(CN=LN, FN)" memberOf
>
> Will give me all of the groups I'm a member of.
>
> I'm going to try changing this in Gerrit.
Stupid ActiveDirectory. OK, yea, if we need to query memberOf in the
user account then its going to take a code change in LdapRealm.
Hopefully we can support either query direction.
> Part of the problem is that I've never seen it work correctly, so I'm
> probably not looking for the right signs, either. I don't see any
> error message from Gerrit, but I don't see any users in the group.
Well, there's no real error, Gerrit is issuing the query, getting 0
results back, and assumes that you aren't a member of a group. Sure,
its an error, because you know you are in at least one group, but as
far as ActiveDirectory claims to Gerrit, you aren't. :-(
> I also noticed that the "automatic_membership" column isn't referenced
> in any of the current Gerrit code. Is this just unused now?
No, it is used. Its used in the UI to decide to show the LDAP
property data below a group, rather than the group's users, and its
used in LdapRealm to decide if the group should really be assumed to
be an LDAP group, or is a group within Gerrit.
Anthony
> > I think what may be required is to query for the "memberOf" field for
> > users instead of querying for groups that that use is a member
> > of...e.g.:
>
> > Will give me all of the groups I'm a member of.
>
> > I'm going to try changing this in Gerrit.
>
> Stupid ActiveDirectory. OK, yea, if we need to query memberOf in the
> user account then its going to take a code change in LdapRealm.
> Hopefully we can support either query direction.
>
> > Part of the problem is that I've never seen it work correctly, so I'm
> > probably not looking for the right signs, either. I don't see any
> > error message from Gerrit, but I don't see any users in the group.
>
> Well, there's no real error, Gerrit is issuing the query, getting 0
> results back, and assumes that you aren't a member of a group. Sure,
> its an error, because you know you are in at least one group, but as
> far as ActiveDirectory claims to Gerrit, you aren't. :-(
>
> > I also noticed that the "automatic_membership" column isn't referenced
> > in any of the current Gerrit code. Is this just unused now?
>
> No, it is used. Its used in the UI to decide to show the LDAP
> property data below a group, rather than the group's users, and its
> used in LdapRealm to decide if the group should really be assumed to
> be an LDAP group, or is a group within Gerrit.
problem, but I really don't think it is being used. I checked out all
of the Gerrit-related repositories, and there is no reference to it
anywhere except the update SQL and docs:
executablewar gerrit gerrit-contactstore gerrit-keyapplet
gwtexpui gwtjsonrpc gwtorm svn
$ grep -i automatic_membership **/*
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_mysql.sql:ALTER
TABLE account_groups ADD automatic_membership CHAR(1);
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_mysql.sql:UPDATE
account_groups SET automatic_membership = 'N';
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_mysql.sql:ALTER
TABLE account_groups MODIFY automatic_membership CHAR(1) NOT NULL;
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_mysql.sql:UPDATE
account_groups SET automatic_membership = 'Y'
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_mysql.sql:UPDATE
account_groups SET automatic_membership = 'Y'
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:ALTER
TABLE account_groups ADD automatic_membership CHAR(1);
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:UPDATE
account_groups SET automatic_membership = 'N';
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:ALTER
TABLE account_groups ALTER COLUMN automatic_membership SET DEFAULT
'N';
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:ALTER
TABLE account_groups ALTER COLUMN automatic_membership SET NOT NULL;
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:UPDATE
account_groups SET automatic_membership = 'Y'
gerrit/src/main/webapp/WEB-INF/sql/upgrade012_013_postgres.sql:UPDATE
account_groups SET automatic_membership = 'Y'
svn/wiki/ReleaseNotes2_0_19.wiki: WHERE automatic_membership = 'Y');