Migrating Gerrit 2.8 installation to LDAP Auth from OpenID Auth

[Luciano Furtado]

I ahve read Google will stop supporting OpenID 2.0 sometime in 2015, I want to migrate an existing Gerrit 2.8 installation to use LDAP For authentication.

Is it a matter of just adjusting my gerrit.config to use LDAP ? Or I need to do some sort open heart surgery on the reviewdb ?

I have about 20 developers that use this Gerrit installation that use google OpenID provider right now, Ideally I want to keep ALL account configuration they have

right now and go to LDAP for auth after the migration.

Any advice is very welcome.

Luciano

[Fabio Porcedda]

Hi Luciano,

I'm trying to migrate from OpenID to LDAP, but  i'm unable the old users are unable to login with ldap because they use the same username, so gerrit when i try to login with an old username give me this error:

ERROR com.google.gerrit.server.account.AccountManager : Cannot assign user name

 org.h2.jdbc.JdbcBatchUpdateException: Unique index or primary key violation: "PRIMARY_KEY_1 ON PUBLIC.ACCOUNT_EXTERNAL_IDS(EXTERNAL_ID) VALUES ( /* 26 */ 'username:fabiopo' )"; SQL statement:

Any ideas how to solve this problem?

I don't know which is possible to do, maybe one of these changes:

- rename old accounts

- rename accounts with ldap

- use in some way the same account for both openid and ldap accounts

Best regards

Fabio Porcedda

[Dan Zieber]

I've been doing this on a couple of installations; the trick is in the account_external_ids table in reviewdb.  You need to add a field for each user with the value gerrit:THEIR-USER-NAME.  I used a query like this:

insert into account_external_ids

  account_id,

  NULL as email_address,

  NULL as password,

  concat(

    'gerrit:',

    substring_index(email_address, '@', 1)

    ) as external_id

from

  account_external_ids

where

  email_address like '%@our-address.com'

It pulled their OpenID username from the email address associated with the account and placed it in the table in a form that gerrit can use for LDAP.

Good Luck!

-Dan

[Fabio Porcedda]

On Tuesday, July 1, 2014 6:27:05 PM UTC+2, Dan Zieber wrote:

I've been doing this on a couple of installations; the trick is in the account_external_ids table in reviewdb.  You need to add a field for each user with the value gerrit:THEIR-USER-NAME.  I used a query like this:

insert into account_external_ids

  account_id,

  NULL as email_address,

  NULL as password,

  concat(

    'gerrit:',

    substring_index(email_address, '@', 1)

    ) as external_id

from

  account_external_ids

where

  email_address like '%@our-address.com'

It pulled their OpenID username from the email address associated with the account and placed it in the table in a form that gerrit can use for LDAP.

Good Luck!

-Dan

Hi Dan,

thanks a lot for your help.

How i can issue such a query on gerrit?

Using the "gerrti query" command?

Thanks & BR

--

Fabio Porcedda

[Fabio Porcedda]

On irc  zaro show me the way:

https://gerrit-review.googlesource.com/Documentation/pgm-gsql.html

BR

--

Fabio Porcedda

[Dean Wheatley]

Hi Fabio,

Can you post the full recipe for this task here, as used with gqsl?

Thanks,

Dean

[shyam sandeep]

Dear Dan

Thanks for your kind help, i have an issue running the script, could you please help me resolve it

i am trying to edit my reviewdb (gsql) and below are errors i see

gerrit> insert into account_external_ids

  account_id,

  NULL as email_address,

  NULL as password,

  concat(

    'gerrit:',

    substring_index(email_address, '@', 1)

    ) as external_id

from

  account_external_ids

where

  email_address like '%@mycompany.com';     ->      ->      ->      ->      ->      ->      ->      ->      ->      ->      -> 

ERROR: Syntax error in SQL statement "INSERT INTO ACCOUNT_EXTERNAL_IDS

  ACCOUNT_ID[*],

  NULL AS EMAIL_ADDRESS,

  NULL AS PASSWORD,

  CONCAT(

    'gerrit:',

    SUBSTRING_INDEX(EMAIL_ADDRESS, '@', 1)

    ) AS EXTERNAL_ID

FROM

  ACCOUNT_EXTERNAL_IDS

WHERE

  EMAIL_ADDRESS LIKE '%@mycompany.com'; "; expected "., (, DIRECT, SORTED, DEFAULT, VALUES, SET, (, SELECT, FROM"; SQL statement:

insert into account_external_ids

  account_id,

  NULL as email_address,

  NULL as password,

  concat(

    'gerrit:',

    substring_index(email_address, '@', 1)

    ) as external_id

from

  account_external_ids

where

  email_address like '%@mycompany.com'; [42001-168]

gerrit> select * from account_external_ids;

 ACCOUNT_ID | EMAIL_ADDRESS                  | PASSWORD | EXTERNAL_ID

 -----------+--------------------------------+----------+---------------------------------------------------------------------------------

 1000000    | sandee...@mycompany.com  | NULL     | https://www.google.com/accounts/o8/id?id=AItOawm0uOvbdoKHg0pAO6fIYBabr38cukgVqkc

 1000000    | NULL                           | NULL     | username:sandeep.shyam

 1000001    | nagendr...@mycompany.com | NULL     | https://www.google.com/accounts/o8/id?id=AItOawmzlm45iBe6dKhCuUhgmPHfhJjLj3K00FI

 1000002    | sunny...@mycompany.com          | NULL     | https://www.google.com/accounts/o8/id?id=AItOawlSD5TIBdIsQQ-f-ijNkJLpwBdC1Xv-Cvo

 1000002    | NULL                           | NULL     | username:srikanth.madicherla

 1000001    | NULL                           | NULL     | username:nagendra.varma

[Edward Raigosa]

I think external_id will depend on the ldap field used for login, if it exist already in the database, then this method will work for you.  Otherwise, you have to find another way to calculate the external_id and have it match your ldap settings and expected field values.   For us this was email address so since folks used the same ldap email address it worked just fine for us as long as we used email address as the login string for ldap, and mapped it that way.

## the insert was missing a select I think.

INSERT INTO account_external_ids

select 

  account_id,

  NULL as email_address,

  NULL as password,

  concat('gerrit:',email_address)

  as external_id

from

  account_external_ids

where

  email_address like '%@yourcompanydomain.com' and external_id like 'https://%';