My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1857: Existing LDAP group no longer matches after group is moved in LDAP
3 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by gavinswa...@gmail.com, Apr 5, 2013
Affected Version: 2.6rc0

What steps will reproduce the problem?
1. add an LDAP group to permissions somewhere "ldap/Developers"
2. move that group within LDAP ie from cn=Developers,cn=Users,dc=company,dc=com to cn=Developers,ou=DevGroups,dc=company,dc=com and update gerrit.config as appropriate
3. Check that users still have permissions added as "ldap/Developers"

What is the expected output? What do you see instead?
Users should still have permissions assigned in gerrit, or something should make clear why they don't

Please provide any additional information below.
My understanding is that the full path to the group is held in gerrit cn=Developers,cn=Users,dc=company,dc=com but only the ldap/Developers part is displayed in gerrit. So when the full path changes it no longer matches what gerrit knows.

The fix is relatively easy, just remove and re-add the ldap group. It's not intuitive that this is what needs to be done though.
Aug 11, 2013
#1 geekmug
I was burned by this recently. I couldn't figure out what was wrong because everything looked correct, but the WUI provides no indication of what the problem is. I ended up discovering the UUID thing as I was walking through the code with a debugger attached, because I was certain we had stumbled on a bug in Gerrit. In the end, it was trivial to rewrite the "groups" file in "refs/meta/config", but it took almost a day to figure that out.

It almost seems like the UUID being "ldap:${dn}" is an attractive nuisance, if the WUI only displays "ldap/${cn}". While a power-user could exploit this by editing the "groups" file directly to differentiate between two groups with the same "${cn}", it seems like that would never happen (YAGNI). I would rather see the group name be "ldap/${dn}" in that case (which I guess I could do by changing "ldap.groupName"), but then I feel like the UUID whould track "ldap.groupName" to decide how to generate it. (That is to say, I expect the the LDAP group UUIDs should be "ldap:${ldap.groupName}").
Sign in to add a comment

Powered by Google Project Hosting