发表新帖
发表新帖

Gerrit and Active Directory

后端 未结
关注
4 2074
一向
一向 2021-02-04 14:43

I\'m trying to set up Gerrit to use our corporate Active Directory for authentication. I know plenty of people have managed to get this to work but it just won\'t work for me.

相关标签:
4条回答
  • 爱一瞬间的悲伤
    2021-02-04 15:16

    The error is that you are trying to search without binding, but that is what your LDAP app is supposed to do for you, thus Gerrit should have used the info provided, bound, then searched. But the error implies it is skipping a step there.

    0 讨论(0)
  • 眼角桃花
    2021-02-04 15:25

    I struggled to get it working ( Gerrit 2.13.1 ). At that time I was in a highly regulated company so that I did not dare to request the creation of a dedicated user for Gerrit on the company's Active Directory. Unfortunately the standard user creation process in this company ( in Windows ? ) was last name and first name, leading to a AD username like:

    CN=Doe, John,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp

           ^
       |

    Expert eyes would see problems maybe through the space character in OU=EvilCorp Users but this is the comma

    ,

    in the LastName, FirstName pattern like CN=Doe, John that created the problem.

    Once I had my Gerrit dedicated user created (GerritUser, without first name), the line:

    username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp

    was accepted and I was able to login with my usual personnal Windows / AD user id and password.

    Note that the gerrit.config file is declared invalid if you try to escape the comma like CN=Doe\, John... with or without double quote "

    It is clear for a regex writer that cutting on comma only would be more convenient.

    Note: tested with gerrit on Windows

    Abstract of etc/gerrit.config

    ...
[auth]
type = LDAP
[ldap]
server = LDAP://xx.yy.zz.ww
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
accountBase = ou=EvilCorp Users,dc=foo,dc=bar,dc=corp
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
...

    Abstract of etc/secure.config

    ...
[ldap]
password = Password_Of_GerritUser
...
    0 讨论(0)
  • 一生所求
    2021-02-04 15:31

    Sorry guys, my fault here. In my config I'm using ldap.user as my setting name instead of ldap.username. Once I changed that my AD binding works properly.

    0 讨论(0)
  • 小蘑菇
    2021-02-04 15:31

    In your example you use "CN=adam,CN=Users,DC=myusers,DC=com", but the error message indicates that the distinguished name should be something like ...,CN=Users,DC=NRII,DC=com. Check that the base objects you specify in the configuration are correct, for example, to which entry is cn=adam subordinate?

    0 讨论(0)
 看不清?
提交回复
热议问题