Gerrit + Active Directory
2,533 views
Skip to first unread message
Ryan Dooley
Jun 1, 2011, 4:19:36 PM6/1/11
to Repo and Gerrit Discussion
From what I can tell from the archives this question has made the
rounds but so far I'm not having any luck with getting Gerrit to talk
to Active Directory either over the LDAP(S) port or the Global
Catalog. I'm assuming the GC just won't work but so far:
With Gerrit 2.1.7 on Ubuntu 10.04.2 LTS, OpenJDK
6b20-1.9.7-0ubuntu1~10.04.1
[container]
javaOptions = -Djava.naming.referral=follow
[ldap]
server = ldaps://domain.controller:636
accountBase = OU=People,DC=domain,DC=local
accountPattern = (sAMAccountName=${username})
accountFullName = displayName
accountEmailAddress = ${mail.toLowerCase}
sslVerify = false
I've tried other combinations of accountBase, down to the OU where I
know my account exists.
I've tried other combinations of accountPattern, to include
(&(objectClass=user)(sAMAAccountName=${username})
The closest I get to anything include the error of:
2011-06-01 07:07:33,730] ERROR
com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
autenticate user
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-03151F00, problem 2001 (NO_OBJECT), data 0, best match
of:
'DC=domain,DC=local'
Any ideas?
rounds but so far I'm not having any luck with getting Gerrit to talk
to Active Directory either over the LDAP(S) port or the Global
Catalog. I'm assuming the GC just won't work but so far:
With Gerrit 2.1.7 on Ubuntu 10.04.2 LTS, OpenJDK
6b20-1.9.7-0ubuntu1~10.04.1
[container]
javaOptions = -Djava.naming.referral=follow
[ldap]
server = ldaps://domain.controller:636
accountBase = OU=People,DC=domain,DC=local
accountPattern = (sAMAccountName=${username})
accountFullName = displayName
accountEmailAddress = ${mail.toLowerCase}
sslVerify = false
I've tried other combinations of accountBase, down to the OU where I
know my account exists.
I've tried other combinations of accountPattern, to include
(&(objectClass=user)(sAMAAccountName=${username})
The closest I get to anything include the error of:
2011-06-01 07:07:33,730] ERROR
com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
autenticate user
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-03151F00, problem 2001 (NO_OBJECT), data 0, best match
of:
'DC=domain,DC=local'
Any ideas?
Ryan Dooley
Jun 1, 2011, 4:22:56 PM6/1/11
to Ryan Dooley, Repo and Gerrit Discussion
I see a typo in my mail below.. sAMAccountName is what is actually in the configs. :)
Shawn Pearce
Jun 2, 2011, 10:01:04 AM6/2/11
to Ryan Dooley, Repo and Gerrit Discussion
On Wed, Jun 1, 2011 at 13:19, Ryan Dooley <ryan....@gmail.com> wrote:
> From what I can tell from the archives this question has made the
> rounds but so far I'm not having any luck with getting Gerrit to talk
> to Active Directory either over the LDAP(S) port or the Global
> Catalog. I'm assuming the GC just won't work but so far:
...> From what I can tell from the archives this question has made the
> rounds but so far I'm not having any luck with getting Gerrit to talk
> to Active Directory either over the LDAP(S) port or the Global
> Catalog. I'm assuming the GC just won't work but so far:
> [ldap]
> server = ldaps://domain.controller:636
> accountBase = OU=People,DC=domain,DC=local
> 2011-06-01 07:07:33,730] ERROR
> com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
> autenticate user
> javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
> NameErr: DSID-03151F00, problem 2001 (NO_OBJECT), data 0, best match
> of:
> 'DC=domain,DC=local'
That looks to me like your base is wrong. Are you sure you have the
correct accountBase specified?
ActiveDirectory should work OK using the standard LDAP or LDAPS port.
The global catalog port probably does not work.
Ryan Dooley
Jun 2, 2011, 1:02:34 PM6/2/11
to Shawn Pearce, Repo and Gerrit Discussion
HI Shawn,
I figured that the GC port wouldn't work. I've tried all sorts of combinations with the accountBase.
From the top: DC=domain,DC=local
To the bottom where my object is: OU=foo,OU=bar,OU=baz,DC=domain,DC=local.
I would have thought that setting accountScope = sub would have done the trick but so far nothing. It's pretty much the same message. The error log has some variation of the one below (the only change is in the accountBase and how far down the tree I go in setting accountBase.)
I've made sure that I can do an anonymous bind to 389/tcp and 636/tcp on the domain controllers.
Cheers,
Ryan
Nicholas Mucci
Jun 2, 2011, 1:54:09 PM6/2/11
to Repo and Gerrit Discussion
We have Active Directory and Global Catalog is working for us on
several Gerrit servers. Here's what my LDAP config looks like:
[ldap]
server = ldap://dc.ad.company.com:3268
username = ldap...@ad.company.com
accountBase = DC=ad,DC=company,DC=com
groupBase = DC=ad,DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=$
{username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
-Nick
several Gerrit servers. Here's what my LDAP config looks like:
[ldap]
server = ldap://dc.ad.company.com:3268
username = ldap...@ad.company.com
accountBase = DC=ad,DC=company,DC=com
groupBase = DC=ad,DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=$
{username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
-Nick
Ryan Dooley
Jun 3, 2011, 7:24:56 PM6/3/11
to Nicholas Mucci, Repo and Gerrit Discussion
Hi Nicholas,
Thanks for sending that out. I've added an authenticated user to my config and still no luck. I'm guessing that if you have this working that it's an issue on the domain controller and I need to troll the event logs to see if there are any clues on that side.
Much appreciated,
Ryan
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
Ed Kohlwey
Jun 7, 2011, 10:21:29 PM6/7/11
to Ryan Dooley, Repo and Gerrit Discussion
I set up Gerrit to use the Auth header and ran it under a proxy using
Apache's Kerberos Authentication module to get AD integration.
Apache's Kerberos Authentication module to get AD integration.
Its not perfect but it works well.
Ryan Dooley
Jun 8, 2011, 11:49:20 AM6/8/11
to Ed Kohlwey, Repo and Gerrit Discussion
Hi Ed,
Thanks for the followup.
I'm still puzzled as to what isn't working right here with direct integration. That's likely the route I'm going to go.
Cheers,
Ryan
Nicholas Mucci
Jun 8, 2011, 2:11:28 PM6/8/11
to Repo and Gerrit Discussion
Are you front-ending Gerrit with Apache using a reverse-proxy? I have
the pretty standard setup where Apache performs authentication against
AD, and then Gerrit worries about authorization and populating the
database from AD. Apache is also using Global Catalog. Here's the
Location directive I use in the Apache conf file for my Gerrit sites:
<Location "/code-review">
ProxyPass http://127.0.0.1:8081/code-review
AuthType Basic
AuthBasicProvider ldap
AuthName "Gerrit Review Server"
AuthLDAPUrl ldap://dc.ad.company.com:3268/DC=ad,DC=company,DC=com?sAMAccountName?sub
AuthLDAPBindDN "ldap...@ad.company.com"
AuthLDAPBindPassword "some_password"
AuthUserFile /dev/null
Require valid-user
RequestHeader set X-Forwarded-Scheme https
</Location>
Your AD configuration is probably just not playing nicely, but it may
help or tell you something more if you can get Apache to talk to AD.
HTH, good luck!
-Nick
On Jun 8, 10:49 am, Ryan Dooley <ryan.doo...@gmail.com> wrote:
> Hi Ed,
>
> Thanks for the followup.
>
> I'm still puzzled as to what isn't working right here with direct integration. That's likely the route I'm going to go.
>
> Cheers,
> Ryan
>
> On Jun 7, 2011, at 7:21 PM, Ed Kohlwey wrote:
>
>
>
>
>
>
>
> > I set up Gerrit to use the Auth header and ran it under a proxy using
> > Apache's Kerberos Authentication module to get AD integration.
>
> > Its not perfect but it works well.
>
> >>> More info athttp://groups.google.com/group/repo-discuss?hl=en
the pretty standard setup where Apache performs authentication against
AD, and then Gerrit worries about authorization and populating the
database from AD. Apache is also using Global Catalog. Here's the
Location directive I use in the Apache conf file for my Gerrit sites:
<Location "/code-review">
ProxyPass http://127.0.0.1:8081/code-review
AuthType Basic
AuthBasicProvider ldap
AuthName "Gerrit Review Server"
AuthLDAPUrl ldap://dc.ad.company.com:3268/DC=ad,DC=company,DC=com?sAMAccountName?sub
AuthLDAPBindDN "ldap...@ad.company.com"
AuthLDAPBindPassword "some_password"
AuthUserFile /dev/null
Require valid-user
RequestHeader set X-Forwarded-Scheme https
</Location>
Your AD configuration is probably just not playing nicely, but it may
help or tell you something more if you can get Apache to talk to AD.
HTH, good luck!
-Nick
On Jun 8, 10:49 am, Ryan Dooley <ryan.doo...@gmail.com> wrote:
> Hi Ed,
>
> Thanks for the followup.
>
> I'm still puzzled as to what isn't working right here with direct integration. That's likely the route I'm going to go.
>
> Cheers,
> Ryan
>
> On Jun 7, 2011, at 7:21 PM, Ed Kohlwey wrote:
>
>
>
>
>
>
>
> > I set up Gerrit to use the Auth header and ran it under a proxy using
> > Apache's Kerberos Authentication module to get AD integration.
>
> > Its not perfect but it works well.
>
> > On Fri, Jun 3, 2011 at 7:24 PM, Ryan Dooley <ryan.doo...@gmail.com> wrote:
> >> Hi Nicholas,
>
> >> Thanks for sending that out. I've added an authenticated user to my config and still no luck. I'm guessing that if you have this working that it's an issue on the domain controller and I need to troll the event logs to see if there are any clues on that side.
>
> >> Much appreciated,
> >> Ryan
>
> >> On Jun 2, 2011, at 10:54 AM, Nicholas Mucci wrote:
>
> >>> We have Active Directory and Global Catalog is working for us on
> >>> several Gerrit servers. Here's what my LDAP config looks like:
>
> >>> [ldap]
> >>> server = ldap://dc.ad.company.com:3268
> >>> username = ldapu...@ad.company.com
> >> Hi Nicholas,
>
> >> Thanks for sending that out. I've added an authenticated user to my config and still no luck. I'm guessing that if you have this working that it's an issue on the domain controller and I need to troll the event logs to see if there are any clues on that side.
>
> >> Much appreciated,
> >> Ryan
>
> >> On Jun 2, 2011, at 10:54 AM, Nicholas Mucci wrote:
>
> >>> We have Active Directory and Global Catalog is working for us on
> >>> several Gerrit servers. Here's what my LDAP config looks like:
>
> >>> [ldap]
> >>> server = ldap://dc.ad.company.com:3268
Reply all
Reply to author
Forward
0 new messages