Change authentication scheme for existing gerrit installation

[marku...@sinnerschrader.com]

Hello,

we have a gerrit server running currently using OpenId as authentication scheme, but I would favor to switch to LDAP.

I've tried that, but when logging in, I get an error in the logfile because the username is already existing (SQL error because of primary key).

The usernames are the same in our OpenId setup as well as in LDAP.

Is there a way to migrate all users to use LDAP afterwards?

Any hint is welcome.

Best regards

Markus

[Shawn Pearce]

On Tue, Oct 15, 2013 at 5:58 AM, <marku...@sinnerschrader.com> wrote:
> we have a gerrit server running currently using OpenId as authentication
> scheme, but I would favor to switch to LDAP.
> I've tried that, but when logging in, I get an error in the logfile because
> the username is already existing (SQL error because of primary key).
> The usernames are the same in our OpenId setup as well as in LDAP.
>
> Is there a way to migrate all users to use LDAP afterwards?

You could use a SQL statement to copy the records and update them for
use with LDAP. Untested but something like:

INSERT INTO account_external_ids (account_id, external_id)
SELECT account_id, REPLACE('username:', 'gerrit:', external_id) --
depends on database?
FROM account_external_ids
WHERE external_id LIKE 'username:%';

[marku...@sinnerschrader.com]

Thanks Shawn,

I'll try this and report back.

Regards

Markus

[marku...@sinnerschrader.com]

It works perfektly.

I've had to update the statement for mysql but thats trivial.

Thank you for your help :)

[Mohan .S]

Hi Team,

I am trying to configure LDAP with gerrit Version – 2.10.2, But getting below errors, Kindly help me on this,

My gerrit.config settings are follows,

[auth]

      type = LDAP

[ldap]

  server = ldap://master.sisldomain.com

  accountBase = ou=people,dc=sisldomain,dc=com

  accountPattern = (&(objectClass=person)(uid=${username}))

  accountFullName = displayName

  accountEmailAddress = mail

  groupBase = ou=gerrit,dc=sisldomain,dc=com

groupMemberPattern = (&(objectClass=group)(member=${dn}))

Only highlighted part I have modified. But My Gerrit web shows à Authentication unavailable at this time. Error.

Gerrit error.log as follows,

[2015-04-07 16:06:38,385] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'ou=people,dc=sisldomain,dc=com'

Thanks,

Mohan

[Jan Kundrát]

On Tuesday, 7 April 2015 13:06:01 CEST, Mohan .S wrote:
> I am trying to configure LDAP with gerrit Version – 2.10.2, But getting
> below errors, Kindly help me on this,

Dear Mohan,
first of all, please do not post the same question three times; doing that
is a bit rude. Your chances of getting a proper answer are not getting
better by that. This is not a web forum, this is a mailing list. In
addition to that, it is recommended to demonstrate what you've already
tried to troubleshoot on your own; simply copy-pasting error logs doesn't
really qualify. We're doing this support in our free time, and you are
supposed to show us that our time is not being wasted on someone who didn't
bother to read documentation.

> [2015-04-07 16:06:38,385] ERROR
> com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to
> authenticate user
>
> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
> DSID-0C090728, comment: In order to perform this operation a successful
> bind must be completed on the connection., data 0, v2580]; remaining name
> 'ou=people,dc=sisldomain,dc=com'

This log entry identifies the root cause of your problem; your LDAP server
rejects anonymous queries and informs you that you need to bind to a
specified username prior to making any other LDAP operation ("bind" means
"login" in LDAP language). In other words, Gerrit tried to contact your
LDAP server anonymously and started querying it for some user information,
and your LDAP server rejects that.

Read Gerrit's documentation [1] about the auth.type, identify the
difference between LDAP and LDAP_BIND. Do you need any features offered by
the LDAP method compared to LDAP_BIND? It doesn't appear so from the config
you provided as your Gerrit logins and LDAP usernames appear to match. Does
it work if you switch to LDAP_BIND? It won't be a full fix, but a good
first step.

Take a look at the options provided by the LDAP-specific auth options [2].
Hint: your LDAP server requires a non-anonymous binds, and Gerrit supports
binding with service account credentials.

With kind regards,
Jan

[1]
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth
[2]
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap

--
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/

[Mohan .S]

Dear Jan,

I am completely new to Git/Gerrit.

I am sorry to bother you again. As the LDAP guide I have updated my gerrit.config like below.

[auth]

  type = LDAP

[ldap]

   server = ldap://master.sisldomain.com

   username = mohan

   password = mohan@321

   accountScope = subtree

   accountBase = ou=people,dc=sisldomain,dc=com

   accountPattern = (&(objectClass=person)(uid=${username}))

   accountFullName = displayName

   accountEmailAddress = mail

   groupBase = ou=gerrit,dc=sisidomain,dc=com

   groupMemberPattern = (&(objectClass=group)(member=${dn}))

   referral=follow

But still getting below errors,

1. On portal – when I entered the domain id & password it fails with error – Authentication unavailable at this time.

2. Gerrit error.log shows below error.

    

   [2015-04-08 09:19:24,726] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate user

   javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580]

    

3. So request you to kindly help me on this.

Thanks,

Mohan

[Mattias Vannergård]

Hi!

Chiming in here...

The first "username" shall be something like:

cn=admin,dc=sisldomain,dc=com

if mohan is your LDAP admin account, just add change the line to

cn=mohan,dc=sisldomain,dc=com

For me, the accountPattern needed is just:

accountPattern = (cn=${username})

BR
/Mattias

Den onsdag 8 april 2015 kl. 05:58:42 UTC+2 skrev Mohan .S:

Dear Jan,

I am completely new to Git/Gerrit.

I am sorry to bother you again. As the LDAP guide I have updated my gerrit.config like below.

[auth]

  type = LDAP

[ldap]

   server = ldap://master.sisldomain.com

   username = mohan

   password = mo...@321

[mohan chand]

Hi All

Many thanks for your suggestions in advance.

I was able to login in gerrit with ldap users but i could not login with admin account to create projects.

Could you please help on this. Please let me know how to add user specific to interactive and non-interactive users in ldap [my ldap is in ubuntu machine installed using command 'apt-get install slapd ldap-utils"]

in gerrit.config file i have kept

[ldap]

        server = ldap://xxx.xxx.xx.xxx:389

        username = cn=admin,dc=zxxxc,dc=zxxxc,dc=com    <-- this is the admin user in ldap

        password = Ad*********

        accountBase = ou=users,dc=zxxxc,dc=zxxxc,dc=com

        groupBase = ou=groups,dc=zxxxc,dc=zxxxc,dc=com

        accountEmailAddress = mail

        accountFullName = displayName

        accountPattern = (cn=${username})