问题
I'm trying to set up Gerrit to use our corporate Active Directory for authentication. I know plenty of people have managed to get this to work but it just won't work for me.
If I run an ldapsearch command as follows I get the correct result, so I know my search strings are correct:
ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D "CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword "(sAMAccountName=adam)"
But using these same settings in my Gerrit config doesn't work:
[auth]
type = LDAP
[ldap]
server = ldap://myserver
accountBase = CN=Users,DC=mycompany,DC=com
groupBase = OU=Gerrit,DC=mycompany,DC=com
user = CN=adam,CN=Users,DC=mycompany,DC=com
password = mypassword
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
When I try to log in using my account I get the following exception in etc/error_log:
[2012-05-04 10:03:04,595] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@]; remaining name 'CN=Users,DC=mycompany,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
[...]
Has anyone set up a similar configuration that might be able to help?
回答1:
Sorry guys, my fault here. In my config I'm using ldap.user as my setting name instead of ldap.username. Once I changed that my AD binding works properly.
回答2:
In your example you use "CN=adam,CN=Users,DC=myusers,DC=com", but the error message indicates that the distinguished name should be something like ...,CN=Users,DC=NRII,DC=com. Check that the base objects you specify in the configuration are correct, for example, to which entry is cn=adam subordinate?
回答3:
The error is that you are trying to search without binding, but that is what your LDAP app is supposed to do for you, thus Gerrit should have used the info provided, bound, then searched. But the error implies it is skipping a step there.
回答4:
I struggled to get it working ( Gerrit 2.13.1 ). At that time I was in a highly regulated company so that I did not dare to request the creation of a dedicated user for Gerrit on the company's Active Directory. Unfortunately the standard user creation process in this company ( in Windows ? ) was last name and first name, leading to a AD username like:
CN=Doe, John,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
^
|
Expert eyes would see problems maybe through the space character in OU=EvilCorp Users but this is the comma
,
in the LastName, FirstName pattern like CN=Doe, John that created the problem.
Once I had my Gerrit dedicated user created (GerritUser, without first name), the line:
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
was accepted and I was able to login with my usual personnal Windows / AD user id and password.
Note that the gerrit.config file is declared invalid if you try to escape the comma like CN=Doe\, John... with or without double quote "
It is clear for a regex writer that cutting on comma only would be more convenient.
Note: tested with gerrit on Windows
Abstract of etc/gerrit.config
...
[auth]
type = LDAP
[ldap]
server = LDAP://xx.yy.zz.ww
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
accountBase = ou=EvilCorp Users,dc=foo,dc=bar,dc=corp
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
...
Abstract of etc/secure.config
...
[ldap]
password = Password_Of_GerritUser
...
来源:https://stackoverflow.com/questions/10447520/gerrit-and-active-directory