multiple ldap accountbase support

928 views
Skip to first unread message

Xianghua Xiao

unread,
Feb 2, 2011, 9:57:48 AM2/2/11
to Repo and Gerrit Discussion
Is it possible to support multiple ldap.accountBase in Gerrit? We have
a lot of different DN but there is not one universal DN to cover
everyone,strangely.

xianghua

Edwin Kempin

unread,
Feb 3, 2011, 1:10:01 AM2/3/11
to Xianghua Xiao, Repo and Gerrit Discussion
I don't know much about ldap, but on our Gerrit installation we have configured
two accountbases. In the gerrit.config file in the '[ldap]' section simply add a
second 'accountBase' line. For us this configuration is working fine.

2011/2/2 Xianghua Xiao <xiaoxi...@gmail.com>:

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>

Shawn Pearce

unread,
Feb 3, 2011, 12:19:46 PM2/3/11
to Edwin Kempin, Xianghua Xiao, Repo and Gerrit Discussion
Yes, its not documented, but both accountBase and groupBase DN can be
given multiple times. The server searches all of them, and allows a
user to login if exactly one result was found. If it finds multiple
results, it refuses login.

Xianghua Xiao

unread,
Feb 3, 2011, 12:37:40 PM2/3/11
to Shawn Pearce, Edwin Kempin, Repo and Gerrit Discussion
cool.

As Active Directory disallows anonymous binding by default, I had to
use one account to bind to the ldap server in gerrit.config, only
after that others can authenticate via Gerrit's login button using
their own username.

There might be someone in more than one accountBase though.

Xianghua

Shawn Pearce

unread,
Feb 3, 2011, 12:46:18 PM2/3/11
to Xianghua Xiao, Edwin Kempin, Repo and Gerrit Discussion
On Thu, Feb 3, 2011 at 09:37, Xianghua Xiao <xiaoxi...@gmail.com> wrote:
>
> As Active Directory disallows anonymous binding by default, I had to
> use one account to bind to the ldap server in gerrit.config, only
> after that others can authenticate via Gerrit's login button using
> their own username.

Yup, that's somewhat normal. Gerrit needs to be able to login and
lookup group membership for someone else in order to evaluate that
other person's current permission set. This happens when a change gets
submitted, for example, Gerrit double checks that the reviewer's
approvals are still valid at submit time. Doing that requires having a
way to query the LDAP directory without depending upon a user logging
in. Hence Gerrit needs its own account.

> There might be someone in more than one accountBase though.

This will be a problem for you. The server refuses to allow such a
duplicated user to login because it doesn't know which DN it should
use to construct group membership. I might be able to be convinced
that a new ldap configuration option to union the DNs and thus the
group membership is reasonable here, but that may be playing with
fire. If an organization has two different accountBases because there
are two ActiveDirectory domains, and each domain has created their own
"bob" user (because each domain has a "Bob" working there and that's
their login) you will be in a world of trouble when both want to use
Gerrit. :-(

Anooj Gopi

unread,
Sep 9, 2014, 4:30:33 AM9/9/14
to repo-d...@googlegroups.com, edwin....@gmail.com, xiaoxi...@gmail.com
Thanks Shawn.
Adding multiple accountBase and groupBase DN work like a charm.
Reply all
Reply to author
Forward
0 new messages