How to fix Gerrit account when user changed user-id and/or email address

[Matthias Sohn]

From time to time we have users changing user-id and/or email address e.g. since they left

the company and later rejoined.

Today I helped a user to regain access to Gerrit who had left the company. Later he rejoined the

company and got a new user-id and email address. After a while he decided to switch back

to his old email address which he had used with his old account before leaving the company.

After this change in LDAP he could no longer login to Gerrit. 

We currently use Gerrit from latest stable-2.16 branch and auth type CLIENT_SSL_CERT_LDAP

which is essentially LDAP plus single-sign-on via client certificates typically used in the browser.

Here the situation I had to fix:

old Gerrit account 

"inactive": true,

“_account_id”: 1012077,
“name”: “John Doe”,
“email”: “john...@example.com”,
“secondary_emails”: [],
“username”: “abc”,

new Gerrit account the user got after rejoining the company

“_account_id”: 1345332,
“name”: “John Doe”,
“email”: “john...@example.com”,
“secondary_emails”: [],
“username”: “xyz”,

then the email address in LDAP was changed back to the old email address john...@sap.com.

After that the user couldn't login to Gerrit anymore.

Note that the old account is inactive. We use the deactivation background task to deactivate users

which disappear from LDAP or are set inactive there.

I tried to set the correct email address on the new Gerrit account using REST API [1]. This failed with

the error (only visible in the error log) that this email address is already used by the old (inactive) Gerrit account.

I tried to delete the email address from the old and also from the new Gerrit account via REST API [2]. This both failed with the error

"Cannot remove e-mail 'john...@example.com' which is directly associated with CLIENT_SSL_CERT_LDAP authentication".

This check was introduced in [3] and seems not to care if the account using this email address is inactive or not.

Finally we could delete the old account's external ids using [4] then delete the email address from the old, inactive account using [2]

and only then we could set the correct email address on his new, active account using [1].

Is it really necessary that this is so complicated ?

Shouldn't email address and user-id of inactive accounts be ignored in such constraints ?

Why can't the email address of an inactive account be deleted ?

Why doesn't deleting the email address from an inactive command not cascade to also delete it from external ids (or vice versa) ?

What's the best way to improve this ?

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.16.21/rest-api-accounts.html#create-account-email

[2] https://gerrit-documentation.storage.googleapis.com/Documentation/2.16.21/rest-api-accounts.html#delete-account-email

[3] https://gerrit-review.googlesource.com/c/gerrit/+/267616

[4] https://gerrit-documentation.storage.googleapis.com/Documentation/2.16.21/rest-api-accounts.html#delete-account-external-ids

-Matthias

[Doug Luedtke]

When I was on Gerrit 2.16.15, I was able to use SSH to remove the email address on the old, inactive account. This wasn't possible until the fixes released in Gerrit 2.16.12. To delete an email address, it cannot be the preferred email for an account. First add a fake email to the old Gerrit account, change the preferred email, then delete the good email address. Since upgrading to Gerrit 3.1.5 it becomes a little bit more difficult by inactive usernames are no longer able to be reached by the commands. I clone the All-Users repo, checkout refs/meta/external-ids and "grep -irl" for the old username to get the Account ID. Then I can use the SSH commands to activate an account or update email addresses.

2.16 can still use the username or email to find an inactive user. 3.1 can only find inactive accounts via Account ID.

Find the old user account ID. Add a new email to their Gerrit account. Suggest adding .old to the existing email address.

ssh -p 29418 gerrit.company.com gerrit set-account --add-email "'first.l...@company.com'" accountID

Change the old user account preferred email to the newly added email.

ssh -p 29418 gerrit.company.com gerrit set-account --preferred-email "'first.l...@company.com'" accountID

Delete the shared email from the old user's account.

ssh -p 29418 gerrit.company.com gerrit set-account --delete-email "'first...@company.com'" accountID

Then the user will be able to sign in with their new LDAP account. 

I have not had to do an email change for several months since upgrading to Gerrit 3.1.