Move from LDAP to Azure SSO Via Gerrit server - Using plugins/gerrit-oauth-provider
56 views
Skip to first unread message
Guy Levkowitz
Dec 31, 2025, 3:38:33 AM12/31/25
to Repo and Gerrit Discussion
Hey
I understand that there is no straightforward way to achieve this when we already have many users who have been using Gerrit with LDAP authentication up to now.
What is needed
git clone All-Users (repo)
cd All-Users/
git fetch origin refs/meta/external-ids:refs/meta/external-ids
git checkout refs/meta/external-ids
cd All-Users/
git fetch origin refs/meta/external-ids:refs/meta/external-ids
git checkout refs/meta/external-ids
find the user thta we want to define for Azure and create him entery for Azure like:
in bash(need to know the Azure Object-id for the user before do this action + the ID of the user in gerrit):
echo -n "azure-oauth:<AZURE-OBJECT-ID-FOR -The-User>| sha1sum
echo -n "azure-oauth:8a048f54-a0cc-4537-bb5b-3f540a2dbd72" | sha1sum
918d604e3cacdf92c3ba56415c379a19a3fd47ba -
918d604e3cacdf92c3ba56415c379a19a3fd47ba -
take the output and run :
echo -e "[externalId \"azure-oauth:8a048f54-a0cc-4537-bb5b-3f540a2dbd72\"]\n\taccountId = 1000044\n\temail = guy...@domain.com" > 918d604e3cacdf92c3ba56415c379a19a3fd47ba
This will give a new entry file
cat 918d604e3cacdf92c3ba56415c379a19a3fd47ba
[externalId "azure-oauth:8a048f54-a0cc-4537-bb5b-3f540a2dbd72"]
accountId = 1000044
email = guy...@domain.com
accountId = 1000044
email = guy...@domain.com
This needs to be done for all users
My question is also related to groups. We currently have several groups defined using LDAP, for example: ldap/RND-Users. With Azure-based authentication, is there a way to use or map Azure AD groups to Gerrit groups in a similar manner?
Currently, with authentication via Azure, we are unable to use it directly. Is there any alternative way to leverage our Azure AD groups and map them to Gerrit groups?
thanks
Guy
David Ostrovsky
Jan 16, 2026, 7:09:17 AM (6 days ago) Jan 16
to Repo and Gerrit Discussion
Guy Levkowitz schrieb am Mittwoch, 31. Dezember 2025 um 09:38:33 UTC+1:
HeyI understand that there is no straightforward way to achieve this when we already have many users who have been using Gerrit with LDAP authentication up to now.
you’re right that this becomes tricky once a setup already has a large number of registered users.
Have you looked at the link existing user identity feature in the OAuth plugin?
There is a configuration option:
link-to-existing-gerrit-accounts = false
Some OAuth providers already implement support for this kind of identity linking.
However, for Azure AD this is currently not implemented.
It might be possible to implement something similar to what other providers do, for example along these lines:
It might be possible to implement something similar to what other providers do, for example along these lines:
For comparison, see how this is handled in the Cognito implementation:
https://gerrit.googlesource.com/plugins/oauth/+/refs/heads/master/src/main/java/com/googlesource/gerrit/plugins/oauth/cognito/CognitoOAuthService.java#120
https://gerrit.googlesource.com/plugins/oauth/+/refs/heads/master/src/main/java/com/googlesource/gerrit/plugins/oauth/cognito/CognitoOAuthService.java#120
This approach could allow existing Gerrit accounts to be linked without forcing users to re-register or migrate them manually.
Reply all
Reply to author
Forward
0 new messages