Gerrit and Active Directory

Question

I\'m trying to set up Gerrit to use our corporate Active Directory for authentication. I know plenty of people have managed to get this to work but it just won\'t work for me.

Answer 1

I struggled to get it working ( Gerrit 2.13.1 ). At that time I was in a highly regulated company so that I did not dare to request the creation of a dedicated user for Gerrit on the company's Active Directory. Unfortunately the standard user creation process in this company ( in Windows ? ) was last name and first name, leading to a AD username like:

CN=Doe, John,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp

       ^
       |   

Expert eyes would see problems maybe through the space character in OU=EvilCorp Users but this is the comma

,

in the LastName, FirstName pattern like CN=Doe, John that created the problem.

Once I had my Gerrit dedicated user created (GerritUser, without first name), the line:

username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp

was accepted and I was able to login with my usual personnal Windows / AD user id and password.

Note that the gerrit.config file is declared invalid if you try to escape the comma like CN=Doe\, John... with or without double quote "

It is clear for a regex writer that cutting on comma only would be more convenient.

Note: tested with gerrit on Windows

Abstract of etc/gerrit.config

...
[auth]
type = LDAP
[ldap]
server = LDAP://xx.yy.zz.ww
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
accountBase = ou=EvilCorp Users,dc=foo,dc=bar,dc=corp
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
...

Abstract of etc/secure.config

...
[ldap]
password = Password_Of_GerritUser
...