Issue 3201: LDAP authentication stops working after upgrade to 2.11-rc0
Status:  Submitted
Owner: ----
Closed:  Mar 2015
Reported by fraczwoj...@gmail.com, Feb 23, 2015
Affected Version: 2.11-rc0

Have just upgraded from 2.10 to 2.11-rc0. My LDAP configuration stopped working. There were no configuration changes for the auth method. In logs, there is an info that user can not be found:

[2015-02-23 13:53:08,302] INFO  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'test' failed to sign in: No such user: test

Downgrading back to 2.10 (schema && war) solves the problem - authentication works again.

My [ldap] section looks like this:

[ldap]
  server = ldaps://ldap.mycompany.com
  sslVerify = false

  username = cn=gerrituser,ou=Services,ou=People,dc=mycompany,dc=com
  password = myPassword

  accountBase = ou=People,dc=mycompany,dc=com
  accountPattern = (&(objectClass=person)(uid=${username}))
  accountFullName = cn

  groupBase = ou=People,dc=mycompany,dc=com
  groupMemberPattern = (&(objectClass=group)(member=${dn}))


Where the problem might be?

Feb 23, 2015
Project Member #1 ziv...@gmail.com
There were several LDAP related changes done between the 2.10 and 2.11-rc0.
Mostly, these changes are about optimizing the amount of data fetched from the LDAP server.
I did test all of them an Active Directory.

Which LDAP server type do you use? I guess it is RFC 2307 since the ldap.groupMemberPattern is disabled for the Active Directory.

Do you have exactly one ldap.accountBase (as in your sample configuration)?
Feb 23, 2015
#2 fraczwoj...@gmail.com
In fact, I have removed the groupBase and groupMemberPattern options and 2.10 still works (need to verify if 2.11 does not work without it). I did not know if they were needed or not. I was adjusting the sample configuration until it started to work a few months ago.

The rest of the configuration looks exactly as I have posted before (only changed server names & passwords). So yes - there is only one ldap.accountBase.

I don't know which LDAP server it is as I do not manage it. However, I can ask admins if this is crucial.
Feb 23, 2015
Project Member #3 ziv...@gmail.com
Yes, it is important info which LDAP server type you are running.
Feb 23, 2015
#4 fraczwoj...@gmail.com
OpenLDAP 2.4.28 from Ubuntu.
Feb 23, 2015
#5 fraczwoj...@gmail.com
Tried 2.11-rc0 without group setting - still does not work. I have also tried changing the ldap.accountScope option to any other values - no success.
Feb 24, 2015
#6 changho....@gmail.com
I have exactly same problem.
Feb 25, 2015
Project Member #7 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Accepted
Feb 25, 2015
Project Member #8 david.pu...@sonymobile.com
(No comment was entered for this change.)
Labels: Blocking-2.11
Feb 26, 2015
Project Member #9 David.Os...@gmail.com
I am not able to reproduce this problem on latest master, on OpenLDAP 2.4.33. Works here as expected.

Feb 26, 2015
#10 fraczwoj...@gmail.com
I have installed Gerrit 2.10 on localhost, configured LDAP connection and it works. Then I updated this instance to 2.11-rc0 and authentication stops working with the same behavior as on my production Gerrit.

Can I debug it somehow?
Feb 27, 2015
#11 mizunoka...@gmail.com
I had the same problem. This helped me:

[ldap]
fetchMemberOfEagerly = false
Feb 28, 2015
#12 fraczwoj...@gmail.com
Confirm - with fetchMemberOfEagerly = false works for me, too.
Mar 1, 2015
#13 changho....@gmail.com
Confirm - with fetchMemberOfEagerly = false works for me, too. Thanks!
Mar 2, 2015
Project Member #14 ziv...@gmail.com
This is a nice workaround but it should also work with the fetchMemberOfEagerly = true.

Anyway, this is a useful hint for understanding where to search for the issue.
Mar 9, 2015
Project Member #15 David.Os...@gmail.com
OK, i see what happens and can reproduce it now.

To reproduce on Rfc2307 backend, accountMemberField must not be set, and fetchMemberOfEagerly either must not be set (true by default) or set to true:

#accountMemberField = memberOf
fetchMemberOfEagerly = true

When these pre-requisites, the

LdapSchema.accountMemberField = null

And this condition evaluates to false:

if (accountWithMemberOfAtts != null) {
  LdapQuery accountWithMemberOfQuery =
      new LdapQuery(accountBase, accountScope, new ParameterizedString(
          accountPattern), accountWithMemberOfAtts);
          accountWithMemberOfQueryList.add(accountWithMemberOfQuery);
}

And the consequence accountWithMemberOfQueryList is left empty.
ut with empty accountWithMemberOfQueryList the extended logic in Helper.findAccount() is broken:

for (LdapQuery accountQuery : accountQueryList) {
    List<LdapQuery.Result> res = accountQuery.query(ctx, params);
    if (res.size() == 1) {
      return res.get(0);
    } else if (res.size() > 1) {
      throw new AccountException("Duplicate users: " + username);
    }
}
throw new NoSuchUserException(username);

because NoSuchUserException is now unconditionally thrown without any attemt to identify the user.

As the result, "Invalid username or password." is reported back to user, even though her credentials were correct.
Mar 9, 2015
Project Member #16 David.Os...@gmail.com
 Issue 3226  has been merged into this issue.
Mar 10, 2015
Project Member #17 ziv...@gmail.com
Thanks for the problem analysis.

The "accountWithMemberOfQueryList" should actually *never* be used for an RFC2307 ldap server as the "memberOf" account attribute only exists for the active directory. The group membership for active directory is an accoutn property (memberOf) while on an RFC2307 we use the ldap.groupPattern query to fetch group membership.

Working on a bugfix.
Mar 10, 2015
Project Member #18 ziv...@gmail.com
Typo in the previous post: instead of ldap.groupPattern I wanted to write ldap.groupMemberPattern
Mar 10, 2015
Project Member #19 ziv...@gmail.com
https://gerrit-review.googlesource.com/65980

It would be nice if someone with the RFC2307 LDAP server could verify this bugfix.
Mar 11, 2015
Project Member #20 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: ChangeUnderReview
Mar 16, 2015
Project Member #21 ziv...@gmail.com
(No comment was entered for this change.)
Status: Submitted