Affected Version: 2.5.2
What steps will reproduce the problem?
1. When using an ldap account with a referral, log in
2. Authentication fails because the 'follow' is not passed through to the initial context
Please provide any additional information below.
The problem is with this method in Helper.java:
https://gerrit.googlesource.com/gerrit/+/v2.5.2/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java#line105
DirContext open() throws NamingException {
final Properties env = createContextProperties();
if (username != null) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password != null ? password : "");
env.put(Context.REFERRAL, referral != null ? referral : "ignore");
}
return new InitialDirContext(env);
The issue is that the 'env.put(Context.REFERRAL)' is only used iff there is a username, when in fact it should be set regardless of the user name.
The fix is to move the referral line outside of the if block:
DirContext open() throws NamingException {
final Properties env = createContextProperties();
env.put(Context.REFERRAL, referral != null ? referral : "ignore");
if (username != null) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password != null ? password : "");
}
return new InitialDirContext(env);