Gerrit switch from LDAP to AD but no groups are loaded
266 views
Skip to first unread message
Barry Benowitz
Jun 1, 2018, 11:38:50 AM6/1/18
to Repo and Gerrit Discussion
Hi all,
I just switched my Gerrit to use AD instead of LDAP and to use the AD groups. I can log in through http via AD but I don't see the groups getting populated from the AD list. Whew can I look in the code to see if the groups are coming in and what they are?
Here is the snippet of etc/gerrit.config
server = ldap://adappspdc.cable.comcast.com:3268/
accountBase = dc=cable,dc=comcast,dc=com
groupBase = ou=Reference Development Kit Groups,ou=Enterprise Application Groups,dc=cable,dc=comcast,dc=com
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
#accountFullName = displayName
accountFullName = ${givenName} ${SN}
accountEmailAddress = mail
#accountMemberField = (member=${username})
accountMemberField = memberOf
fetchMemberOfEagerly = true
#groupPattern = (&(objectClass=group)(cn=${username}))
groupMemberPattern =
groupPattern = (&(objectClass=group)(cn=${groupname}))
#groupPattern = (cn=${groupname})
accountSshUserName = sAMAccountName
username = cn=rdkldap01,ou=Service Accounts,ou=Corporate,dc=cable,dc=comcast,dc=com
Alon Bar-Lev
Jun 1, 2018, 4:18:38 PM6/1/18
to barry.b...@gmail.com, Repo and Gerrit Discussion
Hi,
Please try to remove all statements and leave only, the active
directory driver should be detected automatically and queries will be
adjusted. After it works, you can tweak it to your explicit needs.
Regards,
Alon
---
[ldap]
server = ldaps://dc1.domain.com ldaps://dc2.domain.com
username = ger...@domain.com
accountBase = DC=domain,DC=com
groupBase = DC=domain,DC=com
accountFullName = displayName
localUsernameToLowerCase = true
> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Please try to remove all statements and leave only, the active
directory driver should be detected automatically and queries will be
adjusted. After it works, you can tweak it to your explicit needs.
Regards,
Alon
---
[ldap]
server = ldaps://dc1.domain.com ldaps://dc2.domain.com
username = ger...@domain.com
accountBase = DC=domain,DC=com
groupBase = DC=domain,DC=com
accountFullName = displayName
localUsernameToLowerCase = true
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Barry Benowitz
Jun 2, 2018, 12:06:33 PM6/2/18
to Repo and Gerrit Discussion
These settings make now difference. I can log in, but I don't see my groups listed under settings->groups. I would love to dig into the code and trace through what it is doing? Where is a good starting point for that.
Alon Bar-Lev
Jun 2, 2018, 1:19:54 PM6/2/18
to barry.b...@gmail.com, Repo and Gerrit Discussion
Hi,
You should not see the ldap groups in settings->groups, but assign
ldap group using the convention of ldap/<name of group> whenever a
group can be specified in gerrit.
In my installation I do not have any group at settings->groups, I use
only ldap group assignment to projects.
Alon
You should not see the ldap groups in settings->groups, but assign
ldap group using the convention of ldap/<name of group> whenever a
group can be specified in gerrit.
In my installation I do not have any group at settings->groups, I use
only ldap group assignment to projects.
Alon
Doug Luedtke
Jun 4, 2018, 1:39:31 PM6/4/18
to Repo and Gerrit Discussion
Also, if a user is not a member of the ldap group, then they will not be able to see the group when it is used in any Gerrit internal groups. We get around that by making an internal Gerrit group and then adding the ldap group to it using what Alon Bar-Lev mentioned. The Gerrit group description should also explain that it is mapped to the ldap group as not ever user will be able to see it as a member.
Barry Benowitz
Jun 5, 2018, 1:57:01 PM6/5/18
to Doug Luedtke, Repo and Gerrit Discussion
I just noticed while the groups are the same. the ldap id is different than AD id. Could this be causing an issue.? When I use a previously populated DB I am no longer seeing what I should be seeing.
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/UCQKsPuXsT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss+unsubscribe@googlegroups.com.
Alon Bar-Lev
Jun 5, 2018, 2:03:08 PM6/5/18
to Barry Benowitz, douglas...@gmail.com, Repo and Gerrit Discussion
Every ldap has its own method to assign unique id for objects.
I guess you can try to tweak the ldap query to produce the same group id some use gid and some use cn, however, it should be easier to just re-assign the correct groups.
One feature that is missing in gerrit is to allow editing the permission in project configuration, this way it should have been very simple to perform this kind of migration.
You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/UCQKsPuXsT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.
Barry Benowitz
Jun 5, 2018, 2:19:17 PM6/5/18
to Alon Bar-Lev, Doug Luedtke, Repo and Gerrit Discussion
The groups names are the same. Its the user that is different. So I guess it is getting a different group id even though the name
is the same? I am trying to figure out why the external ldap group names aren't matching the preexisting.
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/UCQKsPuXsT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss+unsubscribe@googlegroups.com.
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
Gert van Dijk
Jun 12, 2018, 2:56:34 PM6/12/18
to barry.b...@gmail.com, repo-d...@googlegroups.com
Did you find a solution to this? I just wanted to point out again in more detail what Alon mentioned. You should know Gerrit will store the full group ID in project configurations (in the 'groups' file) as well. E.g.:
# UUID Group Name
#
ldap:CN=My Group,CN=Groups,DC=mydomain,DC=tld ldap/My Group
#
ldap:CN=My Group,CN=Groups,DC=mydomain,DC=tld ldap/My Group
The DN has probably changed in the migration for you. That means that group names may be the same, but the pointer to the DN is calculated at time the group is first referenced in a project configuration. This means that the memberOf values in your AD won't correspond to those in all 'groups' files in each and every project where you have any LDAP groups referenced.
HTH
Reply all
Reply to author
Forward
0 new messages