Use LDAP for ssh keys

[GoogleCodeExporter]

LDAP can hold ssh keys for users, using the openssh lpk schema. It should be 
possible to configure gerrit to use LDAP for ssh keys instead of its local 
database.

Original issue reported on code.google.com by rlan...@gmail.com on 7 Sep 2011 at 9:54

[GoogleCodeExporter]

This is a much needed feature.

Original comment by prei...@wikimedia.org on 23 Sep 2011 at 5:48

[GoogleCodeExporter]

The right way to implement this is going to be abstracting more of the account 
storage so we can just replace the SSH key management with LDAP queries. This 
means reading the keys for a user account directly from LDAP instead of from 
the SQL database, and disabling editing of SSH keys in the web UI, these should 
be managed through the LDAP system if Gerrit's accounts are backed by an LDAP 
server.

In the long run we should fix Gerrit so that when connected to an LDAP server, 
all user data comes from the LDAP server, rather than copying selected fields 
into the SQL database.

Original comment by sop@google.com on 23 Apr 2012 at 5:54

• Changed state: Accepted

[GoogleCodeExporter]

I so much agree. This would be awesome to see to come to reality. Hope, someone 
picks this task ASAP. It would make the world more rounded on our side at 
least. :-)

Original comment by djsza...@gmail.com on 23 Apr 2012 at 11:17

[GoogleCodeExporter]

Do we already have a change submitted for this issue?

Original comment by mani.cha...@gmail.com on 28 Jan 2014 at 8:23

[GoogleCodeExporter]

With Google deprecating openid, a lot of people are going to switch to ldap, so 
this feature would make a lot of sense, I might have a hack at it if I get the 
time.

I take it that nobody has started working on it? My own implementation would be 
a crude hack that would forcibly synchronize the database backend with whatever 
is in ldap.

Original comment by ji...@airtame.com on 13 Nov 2014 at 1:27

[GoogleCodeExporter]

@ji yes OpenId 2.0 is deprecated but it's successor OAuth 2.0 for Login (OpenID 
Connect) is and will still be maintained! I don't see why this should be a 
cause to migrate to LDAP?! 
The main problem I think is, that none of the default / common used LDAP 
schemes have support for ssh-key fields. You mostly need an additional scheme 
to be imported and mostly another administration for this. So to get to the 
point: This feature request is a valid one for me because ssh keys mainly 
adresses also console applications (commit) while OpenID mainly adresses 
Web-Applications (view web browser)

Original comment by m...@konqi.net on 14 Nov 2014 at 7:53

[GoogleCodeExporter]

I'm using FreeIPA and I would love it if I could tell Gerrit that public ssh 
keys are stored as 'ipaSshPubKey' for each person. As long as the ssh config is 
flexible enough, it should't matter what schema the admin has chosen.

Original comment by jeff.gus...@gmail.com on 18 Feb 2015 at 12:15

[GoogleCodeExporter]

I hope I have misunderstood some of the comments suggesting that with the 
addition of supporting LDAP store of SSH keys, that gerrit will disable the 
user setting their SSH key in their profile. I would rather see it stated that 
this feature would allow support to SSH keys from LDAP "IN ADDITION TO" the 
local database rather than "instead of" the local database.

It would be great for gerrit to be able to use the SSH key stored in LDAP (I 
don't know any details of this feature) but users may want to use different SSH 
keys for different servers. It sounds like the way this feature is worded, it 
would be all LDAP or just the local database. 

Original comment by Gary.Bur...@sas.com on 25 Feb 2015 at 7:31

[GoogleCodeExporter]

I was about to leave a comment arguing for all three scenarios being valid. 
After getting one sentence in, the potential compromised security issue hit me. 
Although convenient it introduces single point of failure to the entire keyed 
infrastructure of your environment.

Original comment by gavinswa...@gmail.com on 25 Feb 2015 at 1:39

[GoogleCodeExporter]

This is only holding a copy of the public ssh-key in gerrit database, like LDAP 
does.
I don't see more treat than the actual design.

We use more and more gerrit for enterpise, they like it, but the ldap 
integration need some love.
This is pretty much the missing feature so far.

Original comment by m...@websys.io on 25 Feb 2015 at 5:29