我正在尝试让Gerrit对ActiveDirectory LDAP服务器进行身份验证,但我无法找到正确的LDAP设置组合以使其正常工作。我在error_log中看到这样的错误:
WARN com.google.gerrit.server.auth.ldap.LdapRealm : Cannot discover type of LDAP server at ldap://ldapserver.company.com:3268, assuming the server is RFC 2307 compliant.
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name ''
是否有针对Gerrit的“典型”ActiveDirectory配置,我应该使用LDAP_BIND身份验证吗?
答案 0 :(得分:0)
LDAP(与LDAP_BIND相对)是正确的身份验证类型。
几乎完全回答了here:
[ldap]
server = ldap://dc.ad.company.com:3268
username = ldapuser@ad.company.com
accountBase = DC=ad,DC=company,DC=com
groupBase = DC=ad,DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
但是,在我的情况下,LDAP服务器主机名没有ad组件,所以它看起来更像:
[ldap]
server = ldap://something.company.com:3268
username = ldapuser@company.com
accountBase = DC=company,DC=com
groupBase = DC=company,DC=com
accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountSshUserName = sAMAccountName
groupMemberPattern = (sAMAccountName=${username})
groupName = cn
localUsernameToLowerCase = true
此外,您需要将LDAP密码添加到etc/secure.config(或者您可以使用SecureStore),这只能由Gerrit用户阅读:
[ldap]
password = yourpassword
如果不这样做,您将看到如下错误:
ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580^@]; remaining name 'DC=company,DC=com'
在此之后,您可以使用AD用户名(不含任何@company.com部分,只需用户名)和常用密码登录。