LDAP group support in 2.5

742 views
Skip to first unread message

Will Saxon

unread,
Sep 19, 2012, 3:33:33 PM9/19/12
to repo-d...@googlegroups.com
We're looking at the changes in 2.5 and have set up a test system to run schema upgrades, etc. We're confused about the LDAP changes removing LDAP groups from the UI. When we try to add access rules for a project based on group, it doesn't seem to accept any LDAP groups at all. We've tried the plain name and distinguished name, neither work. 

Here is our configuration:

[gerrit]
        basePath = /var/lib/git-test
        canonicalWebUrl = http://gerrit.domain.com/gerrit-test
[database]
        type = MYSQL
        hostname = localhost
        database = reviewdb_test
        username = gerrit2
        poolLimit = 32
        poolMinIdle = 16
        poolMaxIdle = 16
        poolMaxWait = 6s
[auth]
        type = HTTP_LDAP
        httpHeader = REMOTE_USER
[sendemail]
        smtpServer = smtprelay.domain.com
        smtpUser = root
[sshd]
        listenAddress = *:29419
[cache]
        directory = cache
[download]
        scheme = ssh
[ldap]
        server = ldap://domain.com
        username = CN=LDAP,OU=Service Accounts,DC=domain,DC=com
        accountBase = DC=domain,DC=com
        accountScope = sub
        accountFullName = displayName
        accountEmailAddress = mail
        accountSshUserName = sAMAccountName
        accountMemberField = memberOf
        accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
        groupBase = DC=mmrd,DC=com
        groupName = cn
        groupScope = sub
        localUsernameToLowerCase = true

This all works correctly w/ 2.4.2. What are we doing wrong?

-Will

Will Saxon

unread,
Sep 19, 2012, 4:03:38 PM9/19/12
to repo-d...@googlegroups.com
We looked in the code, evidently it's "ldap/name" now.

Joe Hansche

unread,
Sep 20, 2012, 12:53:47 PM9/20/12
to repo-d...@googlegroups.com

On Wednesday, September 19, 2012 4:03:38 PM UTC-4, Will Saxon wrote:
We looked in the code, evidently it's "ldap/name" now.

What is "ldap/name" now?  Do you mean the "ldap.server" config key has been updated to "ldap.name"?  Can you elaborate on what you did to fix this?
Message has been deleted

Shawn Pearce

unread,
Sep 23, 2012, 1:29:16 PM9/23/12
to Joe Hansche, repo-discuss
On Thu, Sep 20, 2012 at 9:53 AM, Joe Hansche <jhan...@meetme.com> wrote:
> On Wednesday, September 19, 2012 4:03:38 PM UTC-4, Will Saxon wrote:
>>
>> We looked in the code, evidently it's "ldap/name" now.
>
>
> What is "ldap/name" now?

The name of the group in the UI. If you want to complete an LDAP group
in the web UI, you need to prefix the group name with the string
"ldap/". So if I have a group in LDAP called "Developers" I can
complete it by typing "ldap/De" and watching Gerrit suggest the name.

Group backends are supposed to use unique prefixes like ldap/ to
isolate the namespaces. For example we have a "google/" one on
gerrit.googlesource.com that works with Google Groups.
Reply all
Reply to author
Forward
0 new messages