针对 ActiveDirectory 的 Gerrit 身份验证
Gerrit authentication against ActiveDirectory
我正在尝试让 Gerrit 对 ActiveDirectory LDAP
服务器进行身份验证,但我无法找到正确的 LDAP 设置组合以使其正常工作。我在 error_log:
中看到这样的错误
WARN com.google.gerrit.server.auth.ldap.LdapRealm : Cannot discover type of LDAP server at ldap://ldapserver.company.com:3268, assuming the server is RFC 2307 compliant.
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name ''
是否有 Gerrit 的 "typical" ActiveDirectory 配置,我应该使用 LDAP_BIND
身份验证吗?
LDAP
(相对于 LDAP_BIND
)是正确的身份验证类型。
几乎完全回答了here:
[ldap]
server = ldap://dc.ad.company.com:3268
username = ldapuser@ad.company.com
accountBase = DC=ad,DC=company,DC=com
groupBase = DC=ad,DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
但是,在我的例子中,LDAP 服务器主机名没有 ad
组件,所以它看起来更像是:
[ldap]
server = ldap://something.company.com:3268
username = ldapuser@company.com
accountBase = DC=company,DC=com
groupBase = DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
此外,您需要将 LDAP 密码添加到 etc/secure.config
(或者您可以使用 SecureStore),该密码应该只能由 Gerrit 用户读取:
[ldap]
password = yourpassword
如果不这样做,您将看到这样的错误:
ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name 'DC=company,DC=com'
之后,您可以使用 AD 用户名(没有任何 @company.com
部分,只有用户名)和您常用的密码登录。
我正在尝试让 Gerrit 对 ActiveDirectory LDAP
服务器进行身份验证,但我无法找到正确的 LDAP 设置组合以使其正常工作。我在 error_log:
WARN com.google.gerrit.server.auth.ldap.LdapRealm : Cannot discover type of LDAP server at ldap://ldapserver.company.com:3268, assuming the server is RFC 2307 compliant.
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name ''
是否有 Gerrit 的 "typical" ActiveDirectory 配置,我应该使用 LDAP_BIND
身份验证吗?
LDAP
(相对于 LDAP_BIND
)是正确的身份验证类型。
几乎完全回答了here:
[ldap]
server = ldap://dc.ad.company.com:3268
username = ldapuser@ad.company.com
accountBase = DC=ad,DC=company,DC=com
groupBase = DC=ad,DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
但是,在我的例子中,LDAP 服务器主机名没有 ad
组件,所以它看起来更像是:
[ldap]
server = ldap://something.company.com:3268
username = ldapuser@company.com
accountBase = DC=company,DC=com
groupBase = DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
此外,您需要将 LDAP 密码添加到 etc/secure.config
(或者您可以使用 SecureStore),该密码应该只能由 Gerrit 用户读取:
[ldap]
password = yourpassword
如果不这样做,您将看到这样的错误:
ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name 'DC=company,DC=com'
之后,您可以使用 AD 用户名(没有任何 @company.com
部分,只有用户名)和您常用的密码登录。