Pre-registering ldap accounts and setting their ssh-keys

[Richard Christie]

Running vs gerrit 2.10 release authenticating via corporate LDAP, using mysql backend.

Original scenario: trying to upload a huge number of account ssh-keys from gitolite for the purpose of importing from gitolite to gerrit.

Secondary scenario: trying to upload a patch with immediate reviewer-add to an as-of-yet unregistered LDAP user.

I note that if you create accounts via 

ssh [...] gerrit create-account ldap-user-id --key ssh-public-key --full-name "first last" --email first...@company.com

or even just with only the ldap-user-id with no additional options, the command succeeds, but gerrit does not allow the user to log in. 

Inspecting the database, the account which gets created in but with account_external_ids.external id as 'username:id' rather than 'gerrit:id' which appears to be required to let gerrit know the account is ldap-related.

Is there any way to tell gerrit that this account should auth vs ldap, and not be local, which is presumably what it is doing?

Additionally if a user pushes to gerrit with destination as e.g refs/publish/master%r=currently.u...@email.account , then sometimes this works fine, and sometimes we get 

 ! [remote rejected] master -> refs/publish/master%r=first...@company.com (user "first...@company.com" not found)

which persists until the user first logs in (or an admin pre-registers the user by means of calling create-user and then posthumously hacking the mysql DB to change the username:id to gerrit:id as mentioned above. Our list of users in ldap is not that big (mid thousands). We note that the single-user plugin has similar issues, with user/xxx (by any of user-id, name or email) refusing to work for some unregistered users, whilst working fine (even auto-completing) for others.

The only sure-fire way to register a user seems to be to go to the gerrit UI and add the user by user-id to a group. This also works with ssh set-members which when given an unregistered id will create the user as a known ldap one; regardless of whether it was 'visible' to the single user plugin's completion set (and/or git push's auto-add reviewer) or not.

So tl-dir: what is the suggested way to programatically register ldap user accounts in gerrit to avoid buggy behaviour on push; and/or pre-register ssh keys.

Also should create-account (ssh &/ rest) be modified to take a e.g. --auth-type=internal/ldap/oath/a-another type switch?

[Jan Kundrát]

On Monday, 9 March 2015 12:52:21 CET, Richard Christie wrote:
> The only sure-fire way to register a user seems to be to go to the gerrit
> UI and add the user by user-id to a group. This also works with ssh
> set-members which when given an unregistered id will create the user as a
> known ldap one; regardless of whether it was 'visible' to the single user
> plugin's completion set (and/or git push's auto-add reviewer) or not.
>
> So tl-dir: what is the suggested way to programatically register ldap user
> accounts in gerrit to avoid buggy behaviour on push; and/or pre-register
> ssh keys.

At KDE, the initial mass-import happened just as you described, by creating
a fake group and adding all developers from LDAP in there over SSH. It was
a matter of a couple of lines with ldapsearch and sed, IIRC.

Cheers,
Jan


--
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/