Gerrit LDAP and external users

[Christopher Alexander]

Hi all,

Our gerrit installation is for internal users only (using LDAP authentication) however as we have customers who sometimes contribute code we would like to bolt them on.

What we have to do now is use another git web UI setup which has this ability to mix authentication and then push the change over to gerrit. 

I really want to be able to control and code review these changes because at the moment its not always clear what they are dumping on our laps!

Now they do not nessecarily need code review privledges, they just need to be able download branches and upload changes.

Seems like there are a few ways to do this but none that are "native" to gerrit. Maybe a plugin i have overlooked?

Many thanks!

[Magnus Bäck]

On Wednesday, May 22, 2013 at 21:16 EDT,

Authentication plugins are currently not supported (but they're
planned), and you can only have one authentication provider. I don't
know if the future auth plugin support will support multiple plugins
active at the same time.

You could set up an additional Gerrit server for these external
contributions. I assume giving these folks locked-down LDAP accounts
is out of the question, because that would seem like the obvious
solution.

--
Magnus Bäck
ba...@google.com

[Thomas Swindells (tswindel)]

Another thing you may be able to do is setup a separate authentication server which proxies your domain LDAP authentication, but also allows you to insert additional users explicitly.

It would be really useful though if Gerrit natively supported the ability to mix internal and external users so that tool integrations (Jenkins Gerrit plugin etc) don't require a domain user* to have been created but instead can be validated against an internal users database.

Thomas

> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

[Saša Živkov]

On Thu, May 23, 2013 at 10:33 AM, Thomas Swindells (tswindel) <tswi...@cisco.com> wrote:

Another thing you may be able to do is setup a separate authentication server which proxies your domain LDAP authentication, but also allows you to insert additional users explicitly.

It would be really useful though if Gerrit natively supported the ability to mix internal and external users so that tool integrations (Jenkins Gerrit plugin etc) don't require a domain user* to have been created but instead can be validated against an internal users database.

 

The create-account command creates a Gerrit only user that doesn't need to exist in the LDAP system.

We create such users and use them from the Jenkins Gerrit plugin.

[Fredrik Luthander]

Also keep in mind that for the users Sasa suggest you won't be able to have them in ldap groups, so if you use such groups for authentication now you'll need a local group to represent your external users in the permission settings.

--

Med vänlig hälsning / Best regards,

   Fredrik Luthander

[Christopher Alexander]

I created one of these before but they are robot accounts. We need the customer to be able to see why we rejected his code change. Though he does not need to actually review others it would be great if he could generate code reviews and view / download the repo's. We need UI access for this.

Chris

[Christopher Alexander]

My IT dept would not allow this plus the other LDAP authenticated services would need to be check.

[Christopher Alexander]

Sorry to bring this one back from the dead. Any news on plugins for this? Or Native Gerrit support for such accounts? Like i said the robot accounts can only do a few things. We need exernal users that can act like internal.

[Björn Pedersen]

You can create normal accounts via ssh as well. If you add the created users to the correct groups and set a http password, they work like normal (ldap)-accounts.

[Marcelo Avila de Oliveira]

Just one point: in this case you must NOT have "auth.gitBasicAuth = true" or the HTTP password will not work...

--

Marcelo Ávila de Oliveira

CPqD - Information Technology Engineer

Tel.: +55 19 3705-4125

mav...@cpqd.com.br

www.cpqd.com.br

2013/9/6 Björn Pedersen <ice...@googlemail.com>

You can create normal accounts via ssh as well. If you add the created users to the correct groups and set a http password, they work like normal (ldap)-accounts.

[Christopher Alexander]

Hi guys,

So I have a customer with a ssh set account like so:

ssh -p 29418 my.gerrit.com gerrit create-account --group BA collab.customer --http-password "collabcustomer"

I also explicitly set gitBasicAuth = false in gerrit.config.

However still no luck signing in to the gerrit gui.

Any advice?

[Matthias Sohn]

On Mon, Sep 9, 2013 at 8:37 AM, Christopher Alexander <chrisn...@gmail.com> wrote:

Hi guys,

So I have a customer with a ssh set account like so:

ssh -p 29418 my.gerrit.com gerrit create-account --group BA collab.customer --http-password "collabcustomer"

I also explicitly set gitBasicAuth = false in gerrit.config.

However still no luck signing in to the gerrit gui.

Any advice?

[1] says:

"If the account is created without an email address, it may only be used for batch/role access,"... 

batch users don't have permission to access the Gerrit GUI.

[1] http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/cmd-create-account.html

--

Matthias

[Christopher Alexander]

Ah,

But you can actually add and email address during (or post) creation. I guess this still doesn't fix this.

[Christopher Alexander]

Hey all.

So I got permission to add the customer to the AD with name.c...@mycompany.com and he can login but he cannot push. Seems the gerrit loging did not register his email address and when i try to add it through the gui it gives me a AD look up error.

Would manually adding his name to the sql entry work?

Thanks again

[Christopher Alexander]

Sorry that did work - just got the error where the merged changes stay in the "Submitted, merge pending" state!!

[Doug Kelly]

On Friday, September 13, 2013 5:49:08 AM UTC-5, Christopher Alexander wrote:

Sorry that did work - just got the error where the merged changes stay in the "Submitted, merge pending" state!!

Oops! Anything in the error log of interest?  Or dependent patches that haven't merged? 

[Christopher Alexander]

No. I had this before. Seems Gerrit sometimes gets its knickers in a twist!