My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1466: Access Rules via LDAP-Group membership don't work
3 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by patricks...@googlemail.com, Jul 10, 2012
Affected Version: 2.4.1

What steps will reproduce the problem?
1. Create two groups that your account is part of. Configure one group to be an LDAP-group, the other one just a regular one.
2. Create a new project. Grant "Create References" on "refs/heads/*" to the LDAP-group.
3. Push an existing project to the repo.

What is the expected output? What do you see instead?
One would expect that the push works and results in "[new branch]", but instead, I get an error message:
"can not create new references"

4. However, if I grant the very same Priviledge to the non-LDAP-group, it works.

Please provide any additional information below.

Searching for the LDAP-group works fine and authenticating via LDAP as well. The group itself is properly configured on LDAP. The distinguished name of my account is a member of it.
The same configuration is used for other services and works for them.

The Groups dn is:
cn=Developers,ou=gerrit,ou=groups,dc=bauinformatik,dc=tu-berlin,dc=de

The LDAP-configuration in the gerrit.config is:
[auth]
	type = LDAP
[ldap]
	server = ldaps://localhost:636
	username = cn=gerrit-manager,ou=manager,dc=bauinformatik,dc=tu-berlin,dc=de
	accountBase = ou=people,dc=bauinformatik,dc=tu-berlin,dc=de
	groupBase = ou=gerrit, ou=groups,dc=bauinformatik,dc=tu-berlin,dc=de
	accountFullName = cn

Possibly related:
http://groups.google.com/group/repo-discuss/browse_thread/thread/4b44656fb9b0c72c/2afde0019b4b1308?lnk=gst&q=LDAP#2afde0019b4b1308


Jul 10, 2012
#1 patricks...@googlemail.com
Additionally, in the LDAP-log there is the following line (a lot):

Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3727 do_compare: invalid dn (cn=  #LDAP)
Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3728 do_compare: invalid dn (cn=  #LDAP)
Jul 10 17:08:01 our_servername slapd[1201]: conn=1057 op=3729 do_compare: invalid dn (cn=  #LDAP)

This is probably caused by Gerrit.

Thanks in advance.
Patrick
Jul 10, 2012
#2 sop@google.com
accountFullName probably should be ${cn} to actually set it to the value of cn, rather than the literal text "cn".
Jul 10, 2012
#3 patricks...@googlemail.com
I changed accountFullName to ${cn} but nothing changed.
And displaying the account's proper Full Name worked before as well.

Jan 27, 2015
#4 presich....@gmail.com
Hello guys,
we have faced similar problem with Gerrit 2.9.4

But in our case we have both "working" and "non-working" groups in LDAP (Active Directory).

So, setting one - gives permissions, setting another - we have no permissions.

Could you please advise what could be the issue and how could we debug it?
Also please advise when Gerrit reads members of the Group? How often does it synchronizes members from AD groups?
Sign in to add a comment

Powered by Google Project Hosting