how to create ldap-type group and pull in all membership?

[Ping Yin]

In old version gerrit (maybe 2.2), when creating group, i can choose
to create a ldap-type group which will pull membership from ldap.
However, in 2.9-rc1, there is no such option, i can only create a
ordinary group.

Is this feature disabled? or is there someting wrong with my config? i
think i already set the right
ldap.groupBase/groupPattern/groupMemberPattern

my config

[auth]
type = LDAP
[ldap]
server = ldap://ldap.server.com

accountBase = ou=people,dc=example,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail

groupBase = ou=groups,dc=example,dc=com
groupPattern = (cn=${groupname})
groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))

Ping Yin

[Shawn Pearce]

On Tue, Apr 8, 2014 at 10:03 AM, Ping Yin <pkuf...@gmail.com> wrote:
>
> In old version gerrit (maybe 2.2), when creating group, i can choose
> to create a ldap-type group which will pull membership from ldap.
> However, in 2.9-rc1, there is no such option, i can only create a
> ordinary group.

You don't make a group anymore. Instead just start using it in the
access panel, prefixed by "ldap/". For example "ldap/Developers" if
you have a Developers group in your directory server.

[Ping Yin]

thanks. Is this described in the document? i don't find this in the document.
Ping Yin

[Shawn Pearce]

Which document? It was probably in a release note somewhere.

[Edwin Kempin]

2014-04-09 18:57 GMT+02:00 Shawn Pearce <s...@google.com>:

Which document? It was probably in a release note somewhere.

Yes, it's in the 2.5 release notes. A bit hard to find as last point in the 'Miscellaneous' section [1]:
"Abstract group systems into GroupBackend interface

Group backends are supposed to use unique prefixes to isolate the namespaces. E.g. the group backend for LDAP is using ldap/ as prefix for the group names.

This means that to refer to an LDAP group in the WebUI the group name needs to be prefixed with the ldap/ string. E.g. if there is a group in LDAP which is called "Developers", Gerrit will suggest this group when the user types ldap/De."

[1] https://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.5.html#_miscellaneous

 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ping Yin]

On Thu, Apr 10, 2014 at 12:57 AM, Shawn Pearce <s...@google.com> wrote:
> Which document? It was probably in a release note somewhere.
>

I mean the official document, not the release notes. i do not read
through all the relnote from 2.2 to 2.9

I found a bit info in the access control section

LDAP groups are Account Groups that are maintained inside of your LDAP
instance. If you are using LDAP to manage your groups they will not
appear in the Groups list. However you can use them just like regular
Account Groups by prefixing your group with "ldap/" in the Access
Control for a project. For example "ldap/foo-project" will add the
LDAP "foo-project" group to the access list.

[Ping Yin]

Ping Yin

On Thu, Apr 10, 2014 at 4:27 AM, Edwin Kempin <edwin....@gmail.com> wrote:
>
>
>
> 2014-04-09 18:57 GMT+02:00 Shawn Pearce <s...@google.com>:
>
>> Which document? It was probably in a release note somewhere.
>

> Group backends are supposed to use unique prefixes to isolate the
> namespaces. E.g. the group backend for LDAP is using ldap/ as prefix for the
> group names.
>
> This means that to refer to an LDAP group in the WebUI the group name needs
> to be prefixed with the ldap/ string. E.g. if there is a group in LDAP which
> is called "Developers"

Can i add a ldap group to a internal gerrit group to support nested
group? or does gerrit support nested ldap group?


>
> [1]
> https://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.5.html#_miscellaneous
>

All the release note url in https://code.google.com/p/gerrit/ is 404 Not found

[Shawn Pearce]

On Wed, Apr 9, 2014 at 7:35 PM, Ping Yin <pkuf...@gmail.com> wrote:
> Can i add a ldap group to a internal gerrit group to support nested
> group? or does gerrit support nested ldap group?

Yes. Gerrit supports both. :-)

You can add an LDAP group to a Gerrit group to get nested groups.

Gerrit should expand nested LDAP groups from your LDAP directory
server to include the full closure of groups for each user.

[Ping Yin]

wow, that's awsome. thanks.

[Ping Yin]

Does anyone have experience to make nested ldap group work? My
configuration doesn't work.

[ldap]
server = ldaps://ldap.example.com
sslVerify = false

accountBase = ou=people,dc=example,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail

groupBase = ou=groups,dc=example,dc=com
groupPattern = (cn=${groupname})
groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))

username = uid=ldapuser,ou=people,dc=example,dc=com

The ldap hierachy is as follows

cn=data,ou=groups,dc=example,dc=com
cn=data-arch,ou=groups,dc=example,dc=com
uid=yinping,ou=people,dc=example,dc=com

It's ok to use ldap/data-arch for access control, but not ok when
using ldap/data

How can i diagnose this problem? anyway to list all ldap members of ldap/data?
Ping Yin

[Zu, Bruce]

Run
ldapsearch -b "ou=people,dc=example,dc=com " -s sub "(&((|(objectclass=group)(objectclass=groupofnames)(objectclass=groupofuniquenames)))(cn=data,ou=groups,dc=example,dc=com))" objectClass

to see if the objectClass attributes of 'data' include 'groupOfNames'

/Bruce

[Zu, Bruce]

You can also try

ldapsearch -b "ou=people,dc=example,dc=com " -s sub "(&(objectclass=*)(member:1.2.840.113556.1.4.1941:=cn=data,ou=groups,dc=example,dc=com))" objectClass

but the feature 'member:1.2.840.113556.1.4.1941:' is limited to some version of Active Directory.

[Ping Yin]

Thanks. Sorry i am not clear. i want to list all members of ldap/data
with gerrit command, not with ldap commad, to see whether gerrit has
flattened all ldap hierachy.
Ping Yin

[Zu, Bruce]

> It's ok to use ldap/data-arch for access control, but not ok when using ldap/data

I think this is your question. I understood you want to know why 'uid=yinping' 's membership does not include 'data'.

Ok, about 'list all members of ldap/data' Currently Gerrit does not provide related features.

/Bruce

[Zu, Bruce]

> cn=data,ou=groups,dc=example,dc=com
> cn=data-arch,ou=groups,dc=example,dc=com
> uid=yinping,ou=people,dc=example,dc=com
>

By the way the LDAP membership of a given user in Gerrit supports nested groups cases.
That is to say here 'uid=yinping' 's membership will be
'data-arch' and 'data' if the 'groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))' is right.

[Ping Yin]

On Thu, Jul 3, 2014 at 1:35 PM, Zu, Bruce <Bruc...@sonymobile.com> wrote:
>> cn=data,ou=groups,dc=example,dc=com
>> cn=data-arch,ou=groups,dc=example,dc=com
>> uid=yinping,ou=people,dc=example,dc=com
>>
>
> By the way the LDAP membership of a given user in Gerrit supports nested groups cases.
> That is to say here 'uid=yinping' 's membership will be
> 'data-arch' and 'data' if the 'groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))' is right.
>

Thansk. Yes, Shawn confirmed this nested ldap group feature in this
thread, but it just doesn't work for me. There is no easy way to know
whether there is bug in gerrit or in my configuration.
So i gave my ldap and gerrit configuration in my question to ask for help.

[Ping Yin]

my gerrit version 2.9-rc2
Ping Yin