My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 776: auth LDAP / ssh user-not-found issue
10 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by blod.og.ild@gmail.com, Nov 15, 2010
Affected Version: 2.1.5.1

What steps will reproduce the problem?
1. set up gerrit with LDAP auth
2. login with LDAP creds
3. import ssh public key via gerrit webinterface
4. try to verify ssh key e.g. ssh -p 29418 sshusername@hostname

What is the expected output? What do you see instead?

sshd_log always shows "... AUTH FAILURE FROM xxx.xxx.xxx.xxx user-not-found" 

Please provide any additional information below.

- LDAP auth is working, first successful authenticated user is created as gerrit account with admin privileges (I looked into the H2 db to verify)
- gerrit webinterface "Settings - Profile": "Username" field is empty
- gerrit webinterface "Settings - SSH Public Keys": option to change SSH username is missing ([ldap] accountSshUserName is not set)


Jun 14, 2012
#1 g...@acentral.co.uk
This is still happening with current version 2.4 and is a blocker for our org's use of Gerrit :(

LDAP backend is Windows Active Directory (2008 R2)

Settings -> Profile:

Username	
Full Name	Gavin Hamill
Email Address	gavin.hamill@mycompanydomain.co.uk
Registered	Jun 14, 2012 11:08 AM
Account ID	1000000

=====
[ldap]
        server = ldap://10.8.0.17:389/
        username = NANDI\\gerrit-svc
        accountBase = DC=nandi,DC=mydomain,DC=ext
        accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
        accountFullName = displayName
        accountEmailAddress = mail
        accountSshUserName = ${sAMAccountName.toLowerCase}
        groupBase = OU=Security Groups,DC=nandi,DC=mydomain,DC=ext

sshd_log:
[2012-06-14 10:44:33,051 +0100] 594c835b gavin.hamill - AUTH FAILURE FROM 127.0.0.1 user-not-found

:(

The code is definitely asking for the attribute from Active Directory because if I set

        accountSshUserName = ${jigglyPuff.toLowerCase}

then I can clearly see the LDAP searchRequest for mail, memberOf, displayName, jigglyPuff using tcpdump / Wireshark on port 389


Sep 25, 2012
#2 muthui...@gmail.com
sshd_log always shows "... AUTH FAILURE FROM xxx.xxx.xxx.xxx user-not-found" 

- LDAP auth is working, first successful authenticated user is created as gerrit account with admin privileges (I looked into the H2 db to verify)
- gerrit webinterface "Settings - Profile": "Username" field is empty
- gerrit webinterface "Settings - SSH Public Keys": also setup but still the error is

sshd_log always shows "... AUTH FAILURE FROM xxx.xxx.xxx.xxx user-not-found" 
Sep 25, 2012
Project Member #3 edwin.ke...@gmail.com
If the username is not set SSH communication cannot work. 'username' is the username that is used for SSH. Set a username in the WebUI and use this user for the SSH communication.
Oct 25, 2012
#4 dbarvit...@gmail.com
This happens for me 2.5-rc2. It happens for the LDAP accounts containing "dot", e.g. "first.last" and works just fine for the ones that do not have dots.

The workaround I have so far is this:
- log in with your LDAP account;
- log in to the DB with your SQL creds look into the account_external_ids;
- you will see external ids formatted as gerrit:johndoe and username:johndoe for the people who don't have dots, and only gerrit:john.doe for those who have dots.
- The fix is pretty obvious - add the username:john.doe manually (insert into account_external_ids...).

Note: you have to restart Gerrit for the changes to take effect.
Nov 13, 2012
#5 Chrisnor...@gmail.com
Is this only through ssh? I cannot log on to webui with users with LDAP of the format "first.last" at all. I am using 2.5 war. 

I already spent a whole day trying to figure out if it was the LDAP itself until i stumbled upon this!
Nov 13, 2012
#6 Chrisnor...@gmail.com
Hi

I fixed my issue by switch to LDAP (from LDAP_BIND) and supplying a login as well as using port 3268. Now I can login using such usernames.

Basically i used these instructions:
https://groups.google.com/forum/?fromgroups=#!topic/repo-discuss/UgGqDBzXd3M

Thanks!
Sign in to add a comment

Powered by Google Project Hosting