I am trying to set up a gerrit instance that communicates with our LDAP server.
I can login with ldap credentials but then I don't see any groups when I navigate to My -> Groups. I tried using the "groupMemberPatter" variable but I did get an error saying that the LDAP backend doesn't support it. This is my ldap and auth configuration:
[auth]
type = ldap
[ldap]
server = ldap://ldapserverip
accountBase = DC=myorg,DC=local
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
groupBase = OU=DevGroups,DC=myorg,DC=local
groupPattern = (&(objectClass=group)(cn=${groupname}))
fetchMemberofEagerly = true
groupName = cn
username = CN=MyFirst MyLast,CN=Users,DC=myorg,DC=local
accountMemberField = memberOf
referral = follow
groupsVisibleToAll = true
localUsernameToLowerCase = true
I do have the password in the secure.config file and it seems that it makes the queries because it does allow a user to log in. I'm just having trouble getting the actual groups.
I'm not very familiar with LDAP or Active Directory but I was looking at our Active Directory through the Apache Directory Studio and I can indeed see a tree that looks like this:
Root
|- DC=myorg,DC=local
|- CN=Users
| |- CN=FirstName1 LastName1
| |- CN=FirstName2 LastName2
| | - ..
| | - CN=FirstName3 LastName3
|- OU=DevGroups
|- CN=Group1
|- CN=Group2
|- ..
|- CN=Group20
When I open the a group entry I can see the
- objectClass=group
- objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=myorg,DC=local
- The cn seems to be the group name
- It does have a number of "member" fields that list users
- The sAMAccountName is also the group name
If I look at a user they have
- objectClass=person
- cn=First Last
- ojbectCategory= cn=Person,CN=Schema,CN=Configuration,DC=myorg,DC=local,
- sAMAccountName=FirstLast.
- They have a number of memberOf fields that list the cn,ou,dc,dc.
So if the user querying is working and it seems to be using a base and then searching from there and using the account pattern to fill in the username I would imagine that the same would hold for find the list of groups that a user belongs to.
The way I expect this to work is when a user logs in with their LDAP credentials, they should see their same LDAP groups when they look at their groups through the gerrit interface. I'm not sure if this is correct though. I'm also somewhat confused how gerrit actually uses these variables in queries. If anyone has any ideas or can point me in the right direction, I'd appreciate it.
I do realize there were some other Gerrit/LDAP related questions here and other places but they mostly seemed to focus on just getting a user logged in, which I can do, the groups are were I'm having an issue.
