LDAP using AD with groups in Gerrit
2,618 views
Skip to first unread message
mhigh...@singlehop.com
Jul 9, 2013, 10:54:52 AM7/9/13
to repo-d...@googlegroups.com
I'm new to Gerrit and setting up a system for our dev team.
I'm having the AD administrator add some additional groups but how do you utilize the LDAP group in Gerrit? I see it described but I can't find a step by step example on how to set that up. Can anybody write up or point me to a write up that defines the process of creating and defining Gerrit groups using LDAP groups?
And if anybody would like to share their LDAP/Gerrit setup that would be great.
Thanks
I'm having the AD administrator add some additional groups but how do you utilize the LDAP group in Gerrit? I see it described but I can't find a step by step example on how to set that up. Can anybody write up or point me to a write up that defines the process of creating and defining Gerrit groups using LDAP groups?
And if anybody would like to share their LDAP/Gerrit setup that would be great.
Thanks
Doug Kelly
Jul 10, 2013, 4:12:07 PM7/10/13
to repo-d...@googlegroups.com
On Tuesday, July 9, 2013 9:54:52 AM UTC-5, mhigh...@singlehop.com wrote:
I'm new to Gerrit and setting up a system for our dev team.
I'm having the AD administrator add some additional groups but how do you utilize the LDAP group in Gerrit?
I can try to answer some questions. The easiest to configure first is (probably) straight LDAP auth without a proxy, and later extend it to HTTP_LDAP with a proxy frontend (assuming you intend to use it). The key sections in gerrit.config are the "auth.type" and LDAP section. If you actually pick LDAP when configuring Gerrit during gerrit init, it will ask for an accountBase and groupBase (along with your LDAP server/domain controller, bind user, and bind password). accountBase is the root to search for accounts in, and groupBase is the search root for groups. Also, for AD, you'll probably want:
[ldap]
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = ${sAMAccountName.toLowerCase}
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
That should allow most everything to auto-populate from the DC.
I see it described but I can't find a step by step example on how to set that up. Can anybody write up or point me to a write up that defines the process of creating and defining Gerrit groups using LDAP groups?
In 2.4, you could map internal groups to LDAP groups. In 2.5, this no longer worked (but I believe LDAP groups can be specified in ACLs directly?), but in 2.6, it is possible to include additional groups, and instead specify "ldap/[groupname]" for the group to include. Due to some bugs in 2.6 (fixed in the 2.7 branch), you may have problems adding certain groups (if the DN contains any spaces, I believe)--also, you must be a member of the LDAP group in addition to an owner of the internal Gerrit group in order to add the LDAP group as an included group.
Hopefully this gives you somewhere to start from. Feel free to ask me any questions, though!
--Doug
mhigh...@singlehop.com
Jul 15, 2013, 3:23:03 PM7/15/13
to repo-d...@googlegroups.com
Thanks Doug I can see the AD groups gerrit is pulling. I have the install running behind an apache proxy. Are there additional features enabled if I use HTTP_LDAP instead of LDAP?
My second question is regarding the LDAP groups. I'm not sure how to relate the groups already provided and the LDAP groups. Do I relate the current groups "Project Owners", "Non-Interactive Users" ... to the LDAP groups or am I looking at to high and I should be assigning LDAP groups at the project level.
-marcus
Doug Kelly
Jul 15, 2013, 3:52:21 PM7/15/13
to repo-d...@googlegroups.com
On Monday, July 15, 2013 2:23:03 PM UTC-5, mhigh...@singlehop.com wrote:
Thanks Doug I can see the AD groups gerrit is pulling. I have the install running behind an apache proxy. Are there additional features enabled if I use HTTP_LDAP instead of LDAP?
Not really, from all I've seen. It just uses the webserver to perform the initial authentication, then Gerrit trusts whatever REMOTE_USER is--perhaps handy, but it's up to your configuration. Perhaps you can get a bit more fine-grained using mod_authnz_ldap than you can in Gerrit, for example.
My second question is regarding the LDAP groups. I'm not sure how to relate the groups already provided and the LDAP groups. Do I relate the current groups "Project Owners", "Non-Interactive Users" ... to the LDAP groups or am I looking at to high and I should be assigning LDAP groups at the project level.
That's entirely up to you. You might have a group that relates to "all people authorized to contribute" and set All-Projects accordingly. You might want finer-grained ACLs on your projects (for example, we have a set of "role" groups that get created with our projects, and include users/groups in those). Also, we have normally created an internal group to "mirror" LDAP groups. For example, the group "foo_contributors" in LDAP would have a matching "foo_contributors" group in Gerrit, and that group would include "ldap/foo_contributors". You almost certainly don't want to assign regular users to Non-Interactive Users... but yes, that's the basic idea.
Good luck,
Doug
mhigh...@singlehop.com
Jul 15, 2013, 4:42:09 PM7/15/13
to repo-d...@googlegroups.com
I created an internal group (Developer) and tried to add an "Included Groups" from the LDAP (ldap\Development) which was in the auto-complete but when I click on "Add" I get an Error saying "The page you requested was not found, or you do not have permission to view this page." I'm accessing gerrit using the first user and I see that my account is one of the members of the group. I'm using the latest 2.6.1. Do you think I miss something in the setup?
Doug Kelly
Jul 15, 2013, 5:09:01 PM7/15/13
to repo-d...@googlegroups.com
On Monday, July 15, 2013 3:42:09 PM UTC-5, mhigh...@singlehop.com wrote:
I created an internal group (Developer) and tried to add an "Included Groups" from the LDAP (ldap\Development) which was in the auto-complete but when I click on "Add" I get an Error saying "The page you requested was not found, or you do not have permission to view this page." I'm accessing gerrit using the first user and I see that my account is one of the members of the group. I'm using the latest 2.6.1. Do you think I miss something in the setup?
Nope, that's the bug I spoke of. Obnoxious, I know. 2.7 should have the fix, though the fix hasn't been built into a release candidate yet (the fix is newer than the latest RC). I think if you know the full LDAP DN, you could insert it directly into the DB (it's just "ldap:OU=foo,DC=bar,DC=baz" -- full dn prefixed by "ldap:". I believe it's the "account_group_includes_by_uuid" table--but I may be mistaken. Of course, after you do any DB manipulation, don't forget to flush caches.
Mohan .S
Apr 7, 2015, 6:39:14 AM4/7/15
to repo-d...@googlegroups.com
Hi Team,
I am trying to configure LDAP with gerrit Version – 2.10.2, But getting below errors, Kindly help me on this,
My gerrit.config settings are follows,
[auth]
type = LDAP
[ldap]
server = ldap://master.sisldomain.com
accountBase = ou=people,dc=sisldomain,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail
groupBase = ou=gerrit,dc=sisldomain,dc=com
groupMemberPattern
= (&(objectClass=group)(member=${dn}))
Only highlighted part
I have modified. But My Gerrit web shows à Authentication unavailable at this time. Error.
Gerrit error.log as follows,
[2015-04-07 16:06:38,385] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate userjavax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'ou=people,dc=sisldomain,dc=com'
Thanks,
Mohan
Reply all
Reply to author
Forward
0 new messages