Re: gerrit + ldap: how to get ldap groups working on gerrit?

[Alex Blewitt]

On 28 Mar 2013, at 09:03, Luis García Acosta wrote:

> groupMemberPattern = (member=${dn})

The variable ${dn} isn't known; I think you mean ${groupname}:

"The variable${groupname} is replaced with the search term supplied by the group owner."

Also note that if your LDAP server users referrals, they aren't enabled by default. You can enable this with 'ldap.referral=follow' if that's useful.

Alex

[Alex Blewitt]

On 28 Mar 2013, at 09:52, Luis García Acosta wrote:

> Hi Alex,
>
> my logic says that groupMemberPattern is the search patter gerrit will use, to find USERS into FOUND GROUPS given groupPattern. So it will expect something pointing to users and not to groups. Of course my logic might be totally screwed.

What are you putting into the Gerrit UI? It will be something like ldap/foo, I expect?

The lookup will expect to match 'foo' with this result. What happens when you do an ldapsearch using the group search? Does it return an attribute which has the value 'foo' in there?

Alex

[Edwin Kempin]

2013/3/28 Luis García Acosta <lgar...@gmail.com>

Yes that part works, I get the groups from ldap (see ldap-groups.png for a X project), but groups are not associated to users! so users can't do anything with the project

Which version of Gerrit are you running?
AFAIK only Gerrit 2.6-rc0 shows the LDAP groups under Settings -> Groups (only those LDAP group for which permissions have been assigned)
Have you actually tried if the assigned has an effect on the users permissions?
 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Alex Blewitt]

On 28 Mar 2013, at 10:28, Luis García Acosta wrote:

> Yes that part works, I get the groups from ldap (see ldap-groups.png for a X project), but groups are not associated to users! so users can't do anything with the project

You might want to check it's not a caching issue; I've seen delays between making changes in LDAP and having it reflected in Gerrit because they're looked up once and then cached for a while (up to LDAP timeout; cache.ldap_groups.maxAge is 1h).

Alex

[Luis García Acosta]

On Thursday, March 28, 2013 3:43:26 PM UTC+1, Edwin Kempin wrote:

Which version of Gerrit are you running?

Indeed, Im using the stable version 2.5.2. That explain the showing part

 

Have you actually tried if the assigned has an effect on the users permissions?

What do you mean with assigned? Do you mean that for instance John Smith belongs to General developers (in ldap), General developers can administrate project A (set in gerrit web ui). When I login as John Smith I can't see the group General developers listing under Settings->Groups (settings.png), and I cant also even see the project A

@alex I dont have any settings for cache, I think default is disabled unless you specify something as per: http://gerrit.googlecode.com/svn/documentation/2.1/config-gerrit.html#cache

Again, the problem is that users dont retrieve the groups they belong to. I still think it is a problem with my configuration

[Edwin Kempin]

2013/3/28 Luis García Acosta <lgar...@gmail.com>

On Thursday, March 28, 2013 3:43:26 PM UTC+1, Edwin Kempin wrote:

Which version of Gerrit are you running?

Indeed, Im using the stable version 2.5.2. That explain the showing part

 

Have you actually tried if the assigned has an effect on the users permissions?

What do you mean with assigned? Do you mean that for instance John Smith belongs to General developers (in ldap), General developers can administrate project A (set in gerrit web ui). When I login as John Smith I can't see the group General developers listing under Settings->Groups (settings.png), and I cant also even see the project A

Sorry for the typo, I wanted to write 'assignment'. But yes, this is what I've meant. Login with a user who is member of that LDAP group and see if the assigned permissions have an effect. Since you have assigned the 'Administrate Server' capability to the LDAP group 'ldap/global administrators', the easiest check would probably be to login with a user who is member of 'ldap/global administrators' and check whether the 'Projects > Create New Project' menu is visible.
 

@alex I dont have any settings for cache, I think default is disabled unless you specify something as per: http://gerrit.googlecode.com/svn/documentation/2.1/config-gerrit.html#cache

Again, the problem is that users dont retrieve the groups they belong to. I still think it is a problem with my configuration

--

[Luis García Acosta]

Yes I tried something like that already, granted read push merge and other things to a group, as you can see in the .png. I logged in as a user belonging to that group, and nothing. I cant see the project

[Luis García Acosta]

Has some1 implemented this successfully? Could you share your config file for Gerrit and part of the ldif from your ldap?

[Alex Blewitt]

On 2 Apr 2013, at 04:59, Luis García Acosta wrote:

> Has some1 implemented this successfully? Could you share your config file for Gerrit and part of the ldif from your ldap?

The ldap group management does work, but I can't send it through. First, I'd see if enabling the ldap.referral=follow makes any difference. Depending on your LDAP setup, you may find it has an effect (and doesn't hurt to try). When it's working, you can remove it if it has no negative effect.

Try doing searches which replicate what Gerrit will do against the database, for example:

ldapsearch -x -b <ldap.groupBase> -H <ldap.server> <ldap.groupPattern with ${groupname} changed with the group name e.g. global developers>

That should show you a group.

For the members, it should show you entries which will match your groupMemberPattern (or you can just limit the search return result to contain the group name and group members e.g. add 'cn member' to the search term.

The value returned by the member should then be something that shows up in the ldap search for the entries:

ldapsearch -x -b <ldap.accountBase> -H <ldap.server> <ldap.accountPattern with ${username} replaced with the user's 'username'>

This should show you a list of attributes including one that matches the 'member' term above.

Depending on how you're doing authentication, the ${username} will either be a short unix style name (e.g. 'alex') or if you're doing LDAP auth something more complex (e.g. uid=alex,cn=example,cn=com). Either way you need to ensure that this value matches the one from the accountBase above with the ${username} field; so if it's a short name, uid=${username} might be appropriate; if it's an LDAP name then dn=${username} might be more appropriate.

Alex

[Robin Coe]

Does gerrit use an anonymous bind, as in your example (i.e., ldapsearch -x ...) or does it use the ldap credentials (i.e., ldap.username and ldap.password ) in the config?

I only get my ldap groups returned when I run ldapsearch with credentials:
# ldapsearch -b OU=Gerrit,OU=***,OU=***,DC=***,DC=***,DC=*** -h <ldap.server.host> -D CN=<bind user>,CN=Users,DC=***,DC=***,DC=*** -w '<bind password>' -s one

However, when I log in using an account that is in the Administrators group, gerrit does not retrieve the group members.  My company will not allow an anonymous bind, so I want to make sure that I have everything configured correctly before I go any further with this.

Thanks.

[Shawn Pearce]

On Fri, Oct 25, 2013 at 12:00 PM, Robin Coe <rco...@gmail.com> wrote:
> Does gerrit use an anonymous bind, as in your example (i.e., ldapsearch -x
> ...) or does it use the ldap credentials (i.e., ldap.username and
> ldap.password ) in the config?

If present, Gerrit binds with ldap.username and ldap.password to query
group membership information. If these are missing, it does an
anonymous bind for group information.

[Alex Blewitt]

On 25 Oct 2013, at 21:00, Robin Coe wrote:

> Does gerrit use an anonymous bind, as in your example (i.e., ldapsearch -x ...) or does it use the ldap credentials (i.e., ldap.username and ldap.password ) in the config?
>
> I only get my ldap groups returned when I run ldapsearch with credentials:
> # ldapsearch -b OU=Gerrit,OU=***,OU=***,DC=***,DC=***,DC=*** -h <ldap.server.host> -D CN=<bind user>,CN=Users,DC=***,DC=***,DC=*** -w '<bind password>' -s one
>
> However, when I log in using an account that is in the Administrators group, gerrit does not retrieve the group members. My company will not allow an anonymous bind, so I want to make sure that I have everything configured correctly before I go any further with this.

Gerrit can be configured with either user-level password or system-level password for the LDAP groups.

If you use LDAP only authentication, it will pass the userid/password that the user logs into through to the LDAP server for authentication. So it will bind in that userid/password. (It may use those for groups as well; I don't know.)

If you use HTTP+LDAP, it will use HTTP authentication and uses the LDAP for the groups only. In this case, it will use the ldap.username and ldap.password to bind in order to acquire the groups.

Alex

[Robin Coe]

In my case, I'm using LDAP only and authentication is working perfectly, it's just the groups that aren't being brought back.  I've tested the credentials independently, using apache directory studio to make the connection with the account, as well as ldapsearch.  I've used both the user's DN and "domain\\sAMAccountName" in both apacheds and ldapsearch and the filter from gerrit.config returns the groups.  However, neither the user's DN or sAMAccountName in the gerrit.config work.  I'm also not seeing any errors reported to the error.log, so tracing this is a bit of a pain.

Perhaps the documentation should be clarified to indicate exactly what format the username should be in.  Or, perhaps it's the format of the password?  I assume that gerrit is using unicode to capture the config values?  My LDAP password is strong and uses non-ascii characters.  Could that be a problem?

Thanks,
Robin.

[Robin Coe]

Follow up...

I did more testing using LDAP_BIND and am seeing very strange and inconsistent behaviour.  For one, my own account that can authenticate when gerrit is set to auth.LDAP fails to authenticate when LDAP_BIND is used.  However, the account that gerrit is configured to use is able to authenticate but still fails to bring back groups.  The difference between my account and the gerrit account is that the accounts are in different OUs.  However, both are under the top level domain that I'm using with subtree search.  Both accounts work with ldapsearch.

So, it seems to me that the authentication mechanism isn't deterministic and does not match with the documentation.  For instance, ldap_bind says that authentication uses a simple bind, which cannot be correct, as I am only able to connect with the sAMAccountName, without the domain prefix, not the userPrincipalName and/or FQDN.  AD will not bind the sAMAccountName without the domain, so I'm wondering what's going on under the hood. (For reference of what AD does, see this, http://msdn.microsoft.com/en-us/library/cc223499.aspx.)

Also, there's no logging to speak of that would help identify the root cause.  I'm left with possibilities I don't have time to do a the moment, try and determine what gerrit is actually doing by packet capturing at the server or analyze the gerrit source code.  Hopefully, instead, someone can explain what I'm seeing and provide some insight.

Thanks,
Robin.

[Robin Coe]

I've now exhausted all avenues that I can think of and am pleading for help.  I have confirmed that my settings comply with what the documentation says about binding to ldap and have used apache directory studio to perform searches using the filters that I have set in my gerrit.config.  Those filters correctly find all the groups that I belong to, find all the groups below the OU that I want to use as my group base, find my user DN in the member attribute of the LDAP group, and my LDAP group names match the displayed names of the gerrit groups.  That last one is the only real question mark I have.  In the docs, references to gerrit groups use ${groupname} but there's no reference I can find that references which field in the database that is.  But I figure that if I'm to use the group-UUID field, the docs would spell that out, so I'm using the "name" field in the account_groups table.

So, given all this, I'm wondering if there's a configuration that would allow me to use ldap for authentication and the local Db for group membership?  That way, I can use the ldap authn that is functional and ignore the ldap authz that doesn't work.  By the way, I would think, based on the docs, that gerrit will always use its own groups, since the docs stipulate that to use ldap groups in gerrit projects requires prefixing the group name with "ldap/".  However, I have found that even when I set my own account to be a member of the administrators group, I still do not have administrative rights.

Oh, and I would go the route of http authn and authz, except that I don't want to use apache's basic authn, because logging out is impossible without closing the browser.

Thanks for any and all advice.
Robin.

[Sean Dowd]

I came across this thread while trying to solve the same problem (group restrictions using LDAP not seeming to work).  The solution I found was to add a setting for ldap.groupMemberPattern.  gerrit appears to use groupPattern to look up group names when you restrict access to the project in the UI; groupMemberPattern seems to check membership on access.

My settings (referral = follow made no difference):

[ldap]

        server = ldaps://ldap.example.com

        accountPattern = (&(objectClass=inetOrgPerson)(mail=${username}))

        accountSshUserName = ${givenName}.${sn}

        accountBase = ou=People,o=example.com

        groupBase = ou=Groups,o=example.com

        groupPattern = (cn=${groupname})

        groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))

        referral = follow

Hope this helps someone.

On Thursday, March 28, 2013 8:03:14 AM UTC-5, Luis García Acosta wrote:

Hi guys, 

after 3 days struggling with gerrit and ldap integration, struggling here and there, the documentation is missing in this sense from my opinion. I expect to have some aspects working and they are: 

1 - Users are able authenticate in Gerrit with ldap credentials. NAme and mail from users are retrieved from ldap (work!)
2 - Gerrit to able to retrieve ldap groups, and assign them to projects (work!) 
3 - Users belonging to a groups in ldap, belonging to the same mapped group in gerrit (doesn't work). When I log onto Gerrit and go to Settings, the user jsmith belongs only to Anonymous Users and Registered Users. This user can't see any project belonging to the ldap groups global administrators, or global developers 

This last point has to work! I am pretty sure I am missing something, my configuration: 

LDAP: (I am omitting sone par of the leif of course, including only relevant parts) 
dn: ou=gerrit,dc=company,dc=com 
ou: Gerrit 
objectClass: organizationalUnit 
description: Gerrit OU for gerrit groups and permissions 

dn: cn=global administrators,ou=gerrit,dc=company,dc=com 
cn: Global aministrators 
objectClass: groupOfNames 
description: Gerrit groups for global administrators 
member: cn=John Smith,ou=inhouse,ou=employees,dc=company,dc=com 

dn: cn=global developers,ou=gerrit,dc=company,dc=com 
cn: Global developers 
objectClass: groupOfNames 
description: Gerrit groups for global developers 
member: cn=John Smith,ou=inhouse,ou=employees,dc=company,dc=com 

dn: cn=John Smith,ou=inhouse,ou=employees,dc=company,dc=com
objectClass: posixAccount 
objectClass: inetOrgPerson 
objectClass: shadowAccount 
cn: John Smith 
sn: Smith 
uid: jsmith 
gidNumber: 5001 
uidNumber: 10000 
userPassword: password 
gecos: John Smith 
mail: jsm...@company.com 
homeDirectory: /var/null 

GERRIT:

[gerrit] 
basePath = git 
canonicalWebUrl = http://www.gerrit.local:8080/ 

[database]
type = mysql 
hostname = localhost 
database = gerrit 
username = gerrit 
password = gerrit 

[auth]
type = LDAP 

[ldap]
server = ldap://xx.xx.xx.xx 
accountBase = ou=inhouse,ou=employees,dc=company,dc=com 
groupBase = ou=gerrit,dc=company,dc=com 
username = cn=admin,dc=company,dc=com 
password = pass123 
accountFullName = gecos 
accountEmailAddress = mail 
groupPattern = (&(objectClass=groupOfNames)(cn=${groupname})) 

groupMemberPattern = (member=${dn}) 

[sendemail]
smtpServer = localhost 

[container]
user = gerrit 
javaHome = /usr/lib/jvm/java-7-openjdk-amd64/jre 

[sshd]
listenAddress = *:24004 

[httpd]
listenUrl = http://*:8080/ 

What am I missing? Thanx!

[Anu]

Hello,

Yes, this saved my life. I have been trying for almost 2 weeks to setup this - considering internal LDAP group for development/project/administration privileges. 

And the clue related to "groupMemberPattern" helped to solve that issue. Thanks a lot :-)

Best regards, Anu.

[Mohan .S]

Hi Team,

I am trying to configure LDAP with gerrit Version – 2.10.2, But getting below errors, Kindly help me on this,

My gerrit.config settings are follows,

[auth]

      type = LDAP

[ldap]

  server = ldap://master.sisldomain.com

  accountBase = ou=people,dc=sisldomain,dc=com

  accountPattern = (&(objectClass=person)(uid=${username}))

  accountFullName = displayName

  accountEmailAddress = mail

  groupBase = ou=gerrit,dc=sisldomain,dc=com

  groupMemberPattern = (&(objectClass=group)(member=${dn}))

Only highlighted part I have modified. But My Gerrit web shows à Authentication unavailable at this time. Error.

Gerrit error.log as follows,

[2015-04-07 16:06:38,385] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to authenticate userjavax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'ou=people,dc=sisldomain,dc=com'

Thanks,

Mohan

[Zohaib ahmed hassan]

hi i have same situation now and i am unable to mov forward please tell what will be workflow of ldap groups 

1- is it necasssary to include ldap gropus in gerrit groups.

2- or ldap groups are independent in gerrit

3- what should be done in ldap?

[auth]

       type = HTTP_LDAP

[ldap]

       server = ldap://ldap.company.lab

       referral = follow

       sslVerify = false

       username = cn=admin,dc=ci,dc=company,dc=lab

       password = password

       accountPattern = (&(objectClass=inetOrgPerson)(mail=${username}))

       accountBase = ou=People,dc=ci,dc=company,dc=lab

       groupBase = ou=Groups,dc=ci,dc=company,dc=lab

       groupPattern = (cn=${groupname})

       groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))

gerrit version is 2.9 and using active directory o f ldap to authenticate please tell me where i am wrong?

[Edwin Kempin]

2015-06-23 12:35 GMT+02:00 Zohaib ahmed hassan <zohaib.ha...@gmail.com>:

hi i have same situation now and i am unable to mov forward please tell what will be workflow of ldap groups 

1- is it necasssary to include ldap gropus in gerrit groups.

No, in Gerrit you can directly assign access rights to LDAP groups.
 

2- or ldap groups are independent in gerrit

Yes, LDAP groups are independent of Gerrit groups.

 

3- what should be done in ldap?

In LDAP you assign users to LDAP groups.

In Gerrit you assign access rights to LDAP groups (or Gerrit groups).

 

--

--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.