Issue 1857: Existing LDAP group no longer matches after group is moved in LDAP
Status:  New
Owner: ----
Reported by gavinswa...@gmail.com, Apr 5, 2013
Affected Version: 2.6rc0

What steps will reproduce the problem?
1. add an LDAP group to permissions somewhere "ldap/Developers"
2. move that group within LDAP ie from cn=Developers,cn=Users,dc=company,dc=com to cn=Developers,ou=DevGroups,dc=company,dc=com and update gerrit.config as appropriate
3. Check that users still have permissions added as "ldap/Developers"

What is the expected output? What do you see instead?
Users should still have permissions assigned in gerrit, or something should make clear why they don't

Please provide any additional information below.
My understanding is that the full path to the group is held in gerrit cn=Developers,cn=Users,dc=company,dc=com but only the ldap/Developers part is displayed in gerrit. So when the full path changes it no longer matches what gerrit knows.

The fix is relatively easy, just remove and re-add the ldap group. It's not intuitive that this is what needs to be done though.
Aug 11, 2013
#1 geekmug
I was burned by this recently. I couldn't figure out what was wrong because everything looked correct, but the WUI provides no indication of what the problem is. I ended up discovering the UUID thing as I was walking through the code with a debugger attached, because I was certain we had stumbled on a bug in Gerrit. In the end, it was trivial to rewrite the "groups" file in "refs/meta/config", but it took almost a day to figure that out.

It almost seems like the UUID being "ldap:${dn}" is an attractive nuisance, if the WUI only displays "ldap/${cn}". While a power-user could exploit this by editing the "groups" file directly to differentiate between two groups with the same "${cn}", it seems like that would never happen (YAGNI). I would rather see the group name be "ldap/${dn}" in that case (which I guess I could do by changing "ldap.groupName"), but then I feel like the UUID whould track "ldap.groupName" to decide how to generate it. (That is to say, I expect the the LDAP group UUIDs should be "ldap:${ldap.groupName}").