Gerrit with LDAP authentication
633 views
Skip to first unread message
jo...@norricorp.f9.co.uk
Jan 6, 2015, 6:07:21 AM1/6/15
to repo-d...@googlegroups.com
Hi,
I am working through the Gerrit book by Luca Milanesio and have set up an OpenLDAP server with phpldapadmin for an admin front end.
When I look at my entry using ldapsearch is get
# jnorris, users, mint16
dn: cn=jnorris,ou=users,dc=mint16
cn: jnorris
givenName: John
gidNumber: 500
homeDirectory: /home/users/jnorris
sn: Norris
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: jnorris
dn: cn=jnorris,ou=users,dc=mint16
cn: jnorris
givenName: John
gidNumber: 500
homeDirectory: /home/users/jnorris
sn: Norris
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: jnorris
And if I sign into gerrit with jnorris and my password, it authenticates me. (as an aside, if I use "fred" then I get invalid username/password with is good).
But I am an "Anonymous Coward" and if I go to settings then
| Username | jnorris |
| Full Name | |
| Email Address | |
| Registered | Jan 6, 2015 10:51 AM |
| Account ID | 2 |
So it is not picking up cn or sn values or the email address ("mail" attribute - not shown above).
Any ideas what I am doing wrong?
Regards,
John
Luca Milanesio
Jan 6, 2015, 7:09:42 AM1/6/15
to jo...@norricorp.f9.co.uk, repo-d...@googlegroups.com
Hi John,
Gerrit gives you the “Anonymous Coward” (some people gets offended by this “assigned” name … but it is configurable :-) to something more “politically correct”) when the real identity (full name / e-mail) cannot be retrieved from LDAP.
In your case I don’t see in your LDAP record the following attributes:
- displayName
- mail
You need the full name / e-mail when using Git … and thus with Gerrit as well :-)
HTH
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
jo...@norricorp.f9.co.uk
Jan 6, 2015, 7:53:58 AM1/6/15
to repo-d...@googlegroups.com, jo...@norricorp.f9.co.uk
Hi Luca,
so adding DisplayName worked but adding mail is not reflected in the settings within gerrit.
# jnorris, users, mint16
dn: cn=jnorris,ou=users,dc=mint16
cn: jnorris
givenName: John
gidNumber: 500
homeDirectory: /home/users/jnorris
sn: Norris
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: jnorris
dn: cn=jnorris,ou=users,dc=mint16
cn: jnorris
givenName: John
gidNumber: 500
homeDirectory: /home/users/jnorris
sn: Norris
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: jnorris
mail: john@.................
displayName: John Norris
displayName: John Norris
So though mail is in LDAP, it is not seen in settings.
Regards,
John
Luca Milanesio
Jan 6, 2015, 8:26:11 AM1/6/15
to jo...@norricorp.f9.co.uk, repo-d...@googlegroups.com
Try to destroy the Gerrit DB, re-init and then login with LDAP again.
It is possible that as the first time the user was provisioned the e-mail had not been populated and them is added only as secondary identity.
HTH.
Luca.
jo...@norricorp.f9.co.uk
Jan 6, 2015, 8:43:16 AM1/6/15
to repo-d...@googlegroups.com, jo...@norricorp.f9.co.uk
Hi Luca,
I created another user in LDAP with the mail and displayname attributes. Then logged into gerrit with this user and it worked fine.
Do not want to delete the gerrit db - I do think that is unacceptable in a product just to make a small change.
Many thanks for your help.
Regards,
John
lucamilanesio
Jan 6, 2015, 9:08:58 AM1/6/15
to repo-d...@googlegroups.com, jo...@norricorp.f9.co.uk
Glad that worked: let me explain what happened :-)
Gerrit provisions the user in the accounts table the very first time you login through LDAP, using the settings found at that point.
The main account identifier is associated with a set of "external" identifiers, which include your email found in LDAP.
Account settings are typically editable: should you need then to change your e-mail you can easily do via Gerrit GUI without having to destroy and re-create the Gerrit DB :-)
The problem with LDAP is that, for security reasons, the e-mail editing is blocked and can be populated *ONLY* through LDAP attributes changes. When you change your e-mail on LDAP (or insert one), an "external identity" is created and associated to your account. You can then only "select" from the GUI which one is the main one ... choosing from one of those that have been imported from LDAP.
That's the current behaviour ... but can be changed if doesn't make sense :-) ... just contribute your patch ;-)
P.S. The entire authentication backend will go through a refactoring which will make the authentication pluggable: once that is done you could be free to customise the LDAP authentication and implement your own logic, without having to branch Gerrit.
Makes sense?
Luca.
Alex Blewitt
Jan 6, 2015, 9:09:32 AM1/6/15
to jo...@norricorp.f9.co.uk, repo-d...@googlegroups.com
You can always update the database manually if you want to fix the problem.
Sent from my iPhat 6
Sent from my iPhat 6
lucamilanesio
Jan 6, 2015, 11:16:15 AM1/6/15
to repo-d...@googlegroups.com, jo...@norricorp.f9.co.uk
Yep, tables are:
accounts, account_external_ids
Looking forward for the DB to go away altogether anyway ;-)
Luca.
Reply all
Reply to author
Forward
0 new messages