Issue 1124: Use LDAP for ssh keys
Status:  Accepted
Owner: ----
Reported by rlan...@gmail.com, Sep 7, 2011
LDAP can hold ssh keys for users, using the openssh lpk schema. It should be possible to configure gerrit to use LDAP for ssh keys instead of its local database.
Sep 23, 2011
#1 prei...@wikimedia.org
This is a much needed feature.
Apr 23, 2012
#2 sop@google.com
The right way to implement this is going to be abstracting more of the account storage so we can just replace the SSH key management with LDAP queries. This means reading the keys for a user account directly from LDAP instead of from the SQL database, and disabling editing of SSH keys in the web UI, these should be managed through the LDAP system if Gerrit's accounts are backed by an LDAP server.

In the long run we should fix Gerrit so that when connected to an LDAP server, all user data comes from the LDAP server, rather than copying selected fields into the SQL database.
Status: Accepted
Apr 23, 2012
#3 djsza...@gmail.com
I so much agree. This would be awesome to see to come to reality. Hope, someone picks this task ASAP. It would make the world more rounded on our side at least. :-)
Jan 28, 2014
#4 mani.cha...@gmail.com
Do we already have a change submitted for this issue?
Nov 13, 2014
#5 ji...@airtame.com
With Google deprecating openid, a lot of people are going to switch to ldap, so this feature would make a lot of sense, I might have a hack at it if I get the time.

I take it that nobody has started working on it? My own implementation would be a crude hack that would forcibly synchronize the database backend with whatever is in ldap.
Nov 13, 2014
#6 m...@konqi.net
@ji yes OpenId 2.0 is deprecated but it's successor OAuth 2.0 for Login (OpenID Connect) is and will still be maintained! I don't see why this should be a cause to migrate to LDAP?! 
The main problem I think is, that none of the default / common used LDAP schemes have support for ssh-key fields. You mostly need an additional scheme to be imported and mostly another administration for this. So to get to the point: This feature request is a valid one for me because ssh keys mainly adresses also console applications (commit) while OpenID mainly adresses Web-Applications (view web browser)
Feb 17, 2015
#7 jeff.gus...@gmail.com
I'm using FreeIPA and I would love it if I could tell Gerrit that public ssh keys are stored as 'ipaSshPubKey' for each person. As long as the ssh config is flexible enough, it should't matter what schema the admin has chosen.
Feb 24, 2015
#8 gwburch...@gmail.com
I hope I have misunderstood some of the comments suggesting that with the addition of supporting LDAP store of SSH keys, that gerrit will disable the user setting their SSH key in their profile. I would rather see it stated that this feature would allow support to SSH keys from LDAP "IN ADDITION TO" the local database rather than "instead of" the local database.

It would be great for gerrit to be able to use the SSH key stored in LDAP (I don't know any details of this feature) but users may want to use different SSH keys for different servers. It sounds like the way this feature is worded, it would be all LDAP or just the local database. 
Feb 25, 2015
#9 gavinswa...@gmail.com
I was about to leave a comment arguing for all three scenarios being valid. After getting one sentence in, the potential compromised security issue hit me. Although convenient it introduces single point of failure to the entire keyed infrastructure of your environment.
Feb 25, 2015
#10 m...@websys.io
This is only holding a copy of the public ssh-key in gerrit database, like LDAP does.
I don't see more treat than the actual design.

We use more and more gerrit for enterpise, they like it, but the ldap integration need some love.
This is pretty much the missing feature so far.

Oct 27, 2015
#11 fabio.po...@gmail.com
We are also using LDAP for accounts managed by a Windows Server, so it would be great to be able to read the ssh public key on the LDAP server.