git Gerrit 和活动目录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10447520/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Gerrit and Active Directory
提问by Adam Rodger
I'm trying to set up Gerrit to use our corporate Active Directory for authentication. I know plenty of people have managed to get this to work but it just won't work for me.
我正在尝试设置 Gerrit 以使用我们公司的 Active Directory 进行身份验证。我知道很多人已经设法让它发挥作用,但它对我不起作用。
If I run an ldapsearchcommand as follows I get the correct result, so I know my search strings are correct:
如果我ldapsearch按如下方式运行命令,我会得到正确的结果,所以我知道我的搜索字符串是正确的:
ldapsearch -h myserver -b "CN=Users,DC=mycompany,DC=com" -D "CN=adam,CN=Users,DC=mycompany,DC=com" -w mypassword "(sAMAccountName=adam)"
But using these same settings in my Gerrit config doesn't work:
但是在我的 Gerrit 配置中使用这些相同的设置不起作用:
[auth]
type = LDAP
[ldap]
server = ldap://myserver
accountBase = CN=Users,DC=mycompany,DC=com
groupBase = OU=Gerrit,DC=mycompany,DC=com
user = CN=adam,CN=Users,DC=mycompany,DC=com
password = mypassword
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
When I try to log in using my account I get the following exception in etc/error_log:
当我尝试使用我的帐户登录时,出现以下异常etc/error_log:
[2012-05-04 10:03:04,595] ERROR com.google.gerrit.server.auth.ldap.LdapRealm : Cannot query LDAP to autenticate user
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@]; remaining name 'CN=Users,DC=mycompany,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
[...]
Has anyone set up a similar configuration that might be able to help?
有没有人设置过类似的配置,可能会有所帮助?
采纳答案by Adam Rodger
Sorry guys, my fault here. In my config I'm using ldap.useras my setting name instead of ldap.username. Once I changed that my AD binding works properly.
对不起,伙计们,我的错在这里。在我的配置中,我使用ldap.user作为我的设置名称而不是ldap.username. 一旦我改变了我的 AD 绑定工作正常。
回答by Terry Gardner
In your example you use "CN=adam,CN=Users,DC=myusers,DC=com", but the error message indicates that the distinguished name should be something like ...,CN=Users,DC=NRII,DC=com. Check that the base objects you specify in the configuration are correct, for example, to which entry is cn=adamsubordinate?
在您的示例中,您使用"CN=adam,CN=Users,DC=myusers,DC=com",但错误消息表明可分辨名称应该类似于...,CN=Users,DC=NRII,DC=com. 检查您在配置中指定的基础对象是否正确,例如,cn=adam从属于哪个条目?
回答by NGI
I struggled to get it working ( Gerrit 2.13.1 ). At that time I was in a highly regulated company so that I did not dare to request the creation of a dedicated user for Gerrit on the company's Active Directory. Unfortunately the standard user creation process in this company ( in Windows ? ) was last name and first name, leading to a AD username like:
我努力让它工作(Gerrit 2.13.1)。当时我在一家监管严格的公司,所以不敢要求在公司的 Active Directory 上为 Gerrit 创建一个专用用户。不幸的是,这家公司(在 Windows 中?)的标准用户创建过程是姓和名,导致 AD 用户名如下:
CN=Doe, John,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
CN=Doe, John,OU=EvilCorp 用户,DC=foo,DC=bar,DC=corp
^
|
Expert eyes would see problems maybe through the space character in OU=EvilCorp Usersbut this is the comma
专家的眼睛可能会通过OU=EvilCorp Users 中的空格字符看到问题,但这是逗号
,
,
in the LastName, FirstName pattern like CN=Doe, Johnthat created the problem.
在 LastName, FirstName 模式中,如CN=Doe, John造成了问题。
Once I had my Gerrit dedicated user created (GerritUser, without first name), the line:
一旦我创建了我的 Gerrit 专用用户(GerritUser,没有名字),该行:
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
用户名 = CN=GerritUser,OU=EvilCorp 用户,DC=foo,DC=bar,DC=corp
was accepted and I was able to login with my usual personnal Windows / AD user id and password.
被接受,我可以使用我常用的个人 Windows / AD 用户 ID 和密码登录。
Note that the gerrit.config file is declared invalidif you try to escape the comma like CN=Doe\, John...with or without double quote "
请注意,如果您尝试转义逗号,如CN=Doe\, John...带或不带双引号,则 gerrit.config 文件将被声明为无效
It is clear for a regex writer that cutting on comma only would be more convenient.
对于正则表达式作者来说,很明显,只使用逗号会更方便。
Note: tested with gerrit on Windows
注意:在 Windows 上用 Gerrit 测试过
Abstract of etc/gerrit.config
etc/gerrit.config 的摘要
...
[auth]
type = LDAP
[ldap]
server = LDAP://xx.yy.zz.ww
username = CN=GerritUser,OU=EvilCorp Users,DC=foo,DC=bar,DC=corp
accountBase = ou=EvilCorp Users,dc=foo,dc=bar,dc=corp
accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
accountFullName = displayName
accountEmailAddress = mail
...
Abstract of etc/secure.config
etc/secure.config 的摘要
...
[ldap]
password = Password_Of_GerritUser
...
回答by geoffc
The error is that you are trying to search without binding, but that is what your LDAP app is supposed to do for you, thus Gerrit should have used the info provided, bound, then searched. But the error implies it is skipping a step there.
错误是您试图在没有绑定的情况下进行搜索,但这是您的 LDAP 应用程序应该为您做的,因此 Gerrit 应该使用提供的信息,绑定,然后搜索。但错误意味着它在那里跳过了一步。
