search

CandyShop / gerrit

Automatically exported from code.google.com/p/gerrit
Apache License 2.0
1 stars 0 forks source link

Access Rules via LDAP-Group membership don't work #1466

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Affected Version: 2.4.1

What steps will reproduce the problem?
1. Create two groups that your account is part of. Configure one group to be an 
LDAP-group, the other one just a regular one.
2. Create a new project. Grant "Create References" on "refs/heads/*" to the 
LDAP-group.
3. Push an existing project to the repo.

What is the expected output? What do you see instead?
One would expect that the push works and results in "[new branch]", but 
instead, I get an error message:
"can not create new references"

4. However, if I grant the very same Priviledge to the non-LDAP-group, it works.

Please provide any additional information below.

Searching for the LDAP-group works fine and authenticating via LDAP as well. 
The group itself is properly configured on LDAP. The distinguished name of my 
account is a member of it.
The same configuration is used for other services and works for them.

The Groups dn is:
cn=Developers,ou=gerrit,ou=groups,dc=bauinformatik,dc=tu-berlin,dc=de

The LDAP-configuration in the gerrit.config is:
[auth]
    type = LDAP
[ldap]
    server = ldaps://localhost:636
    username = cn=gerrit-manager,ou=manager,dc=bauinformatik,dc=tu-berlin,dc=de
    accountBase = ou=people,dc=bauinformatik,dc=tu-berlin,dc=de
    groupBase = ou=gerrit, ou=groups,dc=bauinformatik,dc=tu-berlin,dc=de
    accountFullName = cn

Possibly related:
http://groups.google.com/group/repo-discuss/browse_thread/thread/4b44656fb9b0c72
c/2afde0019b4b1308?lnk=gst&q=LDAP#2afde0019b4b1308

Original issue reported on code.google.com by patricks...@googlemail.com on 10 Jul 2012 at 3:07

GoogleCodeExporter commented 9 years ago 
Additionally, in the LDAP-log there is the following line (a lot):

Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3727 do_compare: 
invalid dn (cn=  #LDAP)
Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3728 do_compare: 
invalid dn (cn=  #LDAP)
Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3729 do_compare: 
invalid dn (cn=  #LDAP)

This is probably caused by Gerrit.

Thanks in advance.
Patrick

Original comment by patricks...@googlemail.com on 10 Jul 2012 at 3:11

GoogleCodeExporter commented 9 years ago 
accountFullName probably should be ${cn} to actually set it to the value of cn, 
rather than the literal text "cn".

Original comment by sop@google.com on 10 Jul 2012 at 3:27

GoogleCodeExporter commented 9 years ago 
I changed accountFullName to ${cn} but nothing changed.
And displaying the account's proper Full Name worked before as well.

Original comment by patricks...@googlemail.com on 10 Jul 2012 at 4:08

GoogleCodeExporter commented 9 years ago 
Hello guys,
we have faced similar problem with Gerrit 2.9.4

But in our case we have both "working" and "non-working" groups in LDAP (Active 
Directory).

So, setting one - gives permissions, setting another - we have no permissions.

Could you please advise what could be the issue and how could we debug it?
Also please advise when Gerrit reads members of the Group? How often does it 
synchronizes members from AD groups?

Original comment by presich....@gmail.com on 27 Jan 2015 at 2:45