| Issue 3201: | LDAP authentication stops working after upgrade to 2.11-rc0 | |
| 6 people starred this issue and may be notified of changes. | Back to list |
Affected Version: 2.11-rc0
Have just upgraded from 2.10 to 2.11-rc0. My LDAP configuration stopped working. There were no configuration changes for the auth method. In logs, there is an info that user can not be found:
[2015-02-23 13:53:08,302] INFO com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'test' failed to sign in: No such user: test
Downgrading back to 2.10 (schema && war) solves the problem - authentication works again.
My [ldap] section looks like this:
[ldap]
server = ldaps://ldap.mycompany.com
sslVerify = false
username = cn=gerrituser,ou=Services,ou=People,dc=mycompany,dc=com
password = myPassword
accountBase = ou=People,dc=mycompany,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = cn
groupBase = ou=People,dc=mycompany,dc=com
groupMemberPattern = (&(objectClass=group)(member=${dn}))
Where the problem might be?
Feb 23, 2015
Project Member
#1
ziv...@gmail.com
Feb 23, 2015
In fact, I have removed the groupBase and groupMemberPattern options and 2.10 still works (need to verify if 2.11 does not work without it). I did not know if they were needed or not. I was adjusting the sample configuration until it started to work a few months ago. The rest of the configuration looks exactly as I have posted before (only changed server names & passwords). So yes - there is only one ldap.accountBase. I don't know which LDAP server it is as I do not manage it. However, I can ask admins if this is crucial.
Feb 23, 2015
Yes, it is important info which LDAP server type you are running.
Feb 23, 2015
OpenLDAP 2.4.28 from Ubuntu.
Feb 23, 2015
Tried 2.11-rc0 without group setting - still does not work. I have also tried changing the ldap.accountScope option to any other values - no success.
Feb 24, 2015
I have exactly same problem.
Feb 25, 2015
(No comment was entered for this change.)
Status:
Accepted
Feb 25, 2015
(No comment was entered for this change.)
Labels:
Blocking-2.11
Feb 26, 2015
I am not able to reproduce this problem on latest master, on OpenLDAP 2.4.33. Works here as expected.
Feb 26, 2015
I have installed Gerrit 2.10 on localhost, configured LDAP connection and it works. Then I updated this instance to 2.11-rc0 and authentication stops working with the same behavior as on my production Gerrit. Can I debug it somehow?
Feb 27, 2015
I had the same problem. This helped me: [ldap] fetchMemberOfEagerly = false
Feb 28, 2015
Confirm - with fetchMemberOfEagerly = false works for me, too.
Mar 1, 2015
Confirm - with fetchMemberOfEagerly = false works for me, too. Thanks!
Mar 2, 2015
This is a nice workaround but it should also work with the fetchMemberOfEagerly = true. Anyway, this is a useful hint for understanding where to search for the issue.
Mar 9, 2015
OK, i see what happens and can reproduce it now. To reproduce on Rfc2307 backend, accountMemberField must not be set, and fetchMemberOfEagerly either must not be set (true by default) or set to true: #accountMemberField = memberOf fetchMemberOfEagerly = true When these pre-requisites, the LdapSchema.accountMemberField = null And this condition evaluates to false: if (accountWithMemberOfAtts != null) { LdapQuery accountWithMemberOfQuery = new LdapQuery(accountBase, accountScope, new ParameterizedString( accountPattern), accountWithMemberOfAtts); accountWithMemberOfQueryList.add(accountWithMemberOfQuery); } And the consequence accountWithMemberOfQueryList is left empty. ut with empty accountWithMemberOfQueryList the extended logic in Helper.findAccount() is broken: for (LdapQuery accountQuery : accountQueryList) { List<LdapQuery.Result> res = accountQuery.query(ctx, params); if (res.size() == 1) { return res.get(0); } else if (res.size() > 1) { throw new AccountException("Duplicate users: " + username); } } throw new NoSuchUserException(username); because NoSuchUserException is now unconditionally thrown without any attemt to identify the user. As the result, "Invalid username or password." is reported back to user, even though her credentials were correct.
Mar 9, 2015
Issue 3226 has been merged into this issue.
Mar 10, 2015
Thanks for the problem analysis. The "accountWithMemberOfQueryList" should actually *never* be used for an RFC2307 ldap server as the "memberOf" account attribute only exists for the active directory. The group membership for active directory is an accoutn property (memberOf) while on an RFC2307 we use the ldap.groupPattern query to fetch group membership. Working on a bugfix.
Mar 10, 2015
Typo in the previous post: instead of ldap.groupPattern I wanted to write ldap.groupMemberPattern
Mar 10, 2015
https://gerrit-review.googlesource.com/65980 It would be nice if someone with the RFC2307 LDAP server could verify this bugfix.
Mar 11, 2015
(No comment was entered for this change.)
Status:
ChangeUnderReview
Mar 16, 2015
(No comment was entered for this change.)
Status:
Submitted
|
|
| ► Sign in to add a comment |