My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 2433: SSH log in for first user after site creation fails when using LDAP
3 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by croeder....@gmail.com, Jan 28, 2014
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:
Gerrit v.2.8.1


Description of Error
====================
1.The first user that logs on to a fresh installation of Gerrit connected to LDAP authentication is not able to log in via SSH after adding a SSH Key. All other users will be able to do so.
When running SSH with

    $ ssh 127.0.0.1  -p 29418 -l testuser-dev  gerrit help

it shows

    Permission denied (publickey).

The 2nd user and all following will be able to log in via SSH without trouble.


Impact
======
The first user after site creation will not be able to use SSH connections to Gerrit. Especially for test setups with LDAP connection, in which only one user for a certain set of permissions exists, it makes testing impossible.


Steps to reproduce
==================
1.Initialize a new gerrit site
2.Configure LDAP as authentication method
3.Start gerrit
4.Try to log in to WEB UI
Error is shown:

    Authentication unavailable at this time.

The error log states:

    [2014-01-28 17:18:01,345] ERROR com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : LDAP authentication failed
    java.util.NoSuchElementException

5.Next log in try is successful (Why do we need two tries to connect to LDAP?)

    In Web UI, the field 'Username' is empty on 'Settings' page.

6.Add SSH Key for user

7.Log in via SSH fails, log shows:

        [2014-01-28 13:40:25,292 +0100] b0e39948 testuser-dev - AUTH FAILURE FROM 127.0.0.1 user-not-found


Analysis
========
The user who is not able to log in has no mapping from 'username:testuser-dev' in database table 'account_external_ids', although an entry in 'accounts' exists.

gerrit> select * from accounts where account_id = 1000000;
 CONTACT_FILED_ON | FULL_NAME        | CHANGE_SCREEN | COMMENT_VISIBILITY_STRATEGY | COPY_SELF_ON_EMAIL | DATE_FORMAT | DIFF_VIEW | DOWNLOAD_COMMAND | DOWNLOAD_URL | MAXIMUM_PAGE_SIZE | RELATIVE_DATE_IN_CHANGE_TABLE | REVERSE_PATCH_SET_ORDER | SHOW_SITE_HEADER | SHOW_USER_IN_REVIEW | TIME_FORMAT | USE_FLASH_CLIPBOARD | INACTIVE | PREFERRED_EMAIL         | REGISTERED_ON           | ACCOUNT_ID
 -----------------+------------------+---------------+-----------------------------+--------------------+-------------+-----------+------------------+--------------+-------------------+-------------------------------+-------------------------+------------------+---------------------+-------------+---------------------+----------+-------------------------+-------------------------+-----------
 NULL             | Gerrit Developer | NULL          | NULL                        | N                  | NULL        | NULL      | NULL             | NULL         | 25                | N                             | N                       | Y                | N                   | NULL        | Y                   | N        | gerrit-dev@maildomain |  2014-01-28 13:34:28.468 | 1000000
(1 row; 1 ms)


gerrit> select * from account_external_ids where account_id = 1000000;
 ACCOUNT_ID | EMAIL_ADDRESS           | PASSWORD | EXTERNAL_ID
 -----------+-------------------------+----------+--------------------
 1000000    | gerrit-dev@maildomain | NULL     | gerrit:testuser-dev
(1 row; 1 ms)
ldap_stacktrace
4.2 KB   View   Download
Dec 5, 2014
#1 klavs.Kl...@gmail.com
I have the exact same issue with gerrit 2.9.1 (latest as of today).. using http auth.
 - I do not like the idea of having an http "admin user", to be able to admin gerrit :(
When gerrit supports permissions in such a way, so it should be unnecessary.
Sign in to add a comment

Powered by Google Project Hosting