************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC. *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS! *****
************************************************************
Affected Version: 2.7
What steps will reproduce the problem?
1. install gerrit with auth.LDAP
2. manually add user account to accounts table for user who should have admin rights (because install process fails to do that)
3. log in and verify that user is in Administrators group, then look for the "Create new Project" link or try to edit the Access rights on an existing project.
What is the expected output? What do you see instead?
Expecting to have administrative rights of gerrit but instead have the same rights as a registered user. Have no ability to edit the Access, Create projects and/or do whatever an administrator should be able to do.
Please provide any additional information below.
First time I installed gerrit, I used openID. I logged in and was an Administrator. I created new projects and everything seemed to work (although I can't verify that I saw the Edit button on the Access page for any project.)
Then I altered the gerrit.config to set it up for LDAP auth. Gerrit seems to be able to bind using the username and password I specified but the groups I belong to aren't downloaded. See https://groups.google.com/forum/#!topic/repo-discuss/qaMb3FodJtA.
So, I purged my installation and started from scratch. This time, I set it up to be LDAP from teh beginning. This time, my user account was not set up to be an Adminstrator, so I did that manually (see https://code.google.com/p/gerrit/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Type%20Stars%20Milestone%20Status%20Priority%20Owner%20Summary&groupby=&sort=&id=1653). After restarting gerrit and logging in, I verified that I was a global Administrator. However, I have no administrative control over the system.
To fix the original installation that did not properly set itself up, I added my id to the account_group_members table and added the Administrator's UUID and ID to the system_config table. I also added a record in accounts join table to set me as Project owner, in case that could do anything but it didn't.
If I had to guess, the fact that I am attempting to use LDAP groups is the problem: I suspect that gerrit is not using the Db to check permissions and is instead using the LDAP group membership, which it is not able to successfully download.
I have independently verified that my accounts can bind to ldap and that my user is listed as a group member. I have used ldapsearch with all the same settings as my gerrit.config is using:
[auth]
type = LDAP
[ldap]
server = ldap://***.***.ca
username = CN=***,CN=Users,DC=***,DC=***,DC=ca
accountBase = DC=***,DC=***,DC=ca
groupBase = OU=Gerrit,OU=External,OU=***,DC=***,DC=***,DC=ca
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
accountScope = subtree
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = ${sAMAccountName.toLowerCase}
groupPattern = (&(objectClass=group)(cn=${groupname}))
groupName = ${groupname}
groupScope = One
groupMemberPattern = (&(objectClass=group)(member=${dn}))
localUsernameToLowerCase = true
referral = follow
secure.config:
[ldap]
password = ************