git LDAP authentication broken after 2.13.9 to 2.14.5.1 upgrade
682 views
Skip to first unread message
Dean Wheatley
Nov 24, 2017, 6:28:25 PM11/24/17
to Repo and Gerrit Discussion
I am able to login to the Gerrit web UI using LDAP email/password credentials.
However, these same credentials do not work for git cmd line operations (e.g. git clone https://...).
The Gerrit error log shows:
[2017-11-25 10:23:52,658] [HTTP-629] WARN com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication failed for <username>: password does not match the one stored in Gerrit
Question: why is it trying to match the one "stored" in Gerrit? Shouldn't it be trying to authenticate using LDAP instead?
Here's my gerrit.config (with some site-specific/company details omitted).
[gerrit]
basePath = /media/git
canonicalWebUrl = <site>
[database]
type = postgresql
hostname = localhost
database = crux
username = gerrit2
poolLimit = 100
[index]
type = LUCENE
[auth]
type = LDAP
gitBasicAuth = true
gitBasicAuthPolicy = HTTP
[ldap]
sslVerify = true
server = ldap://<name>
username = <username>
accountBase = <ommitted>
groupBase = <ommitted>
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupName = cn
localUsernameToLowerCase = true
Would appreciate some pointers here.
Thanks,
However, these same credentials do not work for git cmd line operations (e.g. git clone https://...).
The Gerrit error log shows:
[2017-11-25 10:23:52,658] [HTTP-629] WARN com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication failed for <username>: password does not match the one stored in Gerrit
Question: why is it trying to match the one "stored" in Gerrit? Shouldn't it be trying to authenticate using LDAP instead?
Here's my gerrit.config (with some site-specific/company details omitted).
[gerrit]
basePath = /media/git
canonicalWebUrl = <site>
[database]
type = postgresql
hostname = localhost
database = crux
username = gerrit2
poolLimit = 100
[index]
type = LUCENE
[auth]
type = LDAP
gitBasicAuth = true
gitBasicAuthPolicy = HTTP
[ldap]
sslVerify = true
server = ldap://<name>
username = <username>
accountBase = <ommitted>
groupBase = <ommitted>
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupName = cn
localUsernameToLowerCase = true
Would appreciate some pointers here.
Thanks,
Dean Wheatley
Nov 24, 2017, 6:36:48 PM11/24/17
to Repo and Gerrit Discussion
I see from https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth
If
I needed to change gitBasicAuthPolicy from HTTP to HTTP_LDAP. This now works.
If
auth.gitBasicAuthPolicy is set to HTTP,
the randomly generated HTTP password is used for authentication. On the other hand,
if auth.gitBasicAuthPolicy is set to HTTP_LDAP,
the password in the request is first checked against the HTTP password and, if
it does not match, it is then validated against the LDAP password.
Service users that only exist in the Gerrit database are authenticated by their
HTTP passwords.I needed to change gitBasicAuthPolicy from HTTP to HTTP_LDAP. This now works.
Reply all
Reply to author
Forward
0 new messages