3

I've recently migrated from HTTP auth to LDAP for gerrit auth. However, with the migration, some issues have cropped up. I am not able to clone the git repo over ssh. Also, from the UI, there's no option available to clone repo over ssh or registered HTTP. enter image description here

Only anonymous HTTP option comes. I am thinking that this is probably happening because it's trying to authenticate ssh from ldap, which I haven't configured. Here's my gerrit conf:

[gerrit]
  basePath = /home/gerrit2/git
  canonicalWebUrl = http://gerrit.myorg.com:8080/
[database]
  type = mysql
  hostname = localhost
  database = reviewdb
  username = gerrit2
[index]
  type = LUCENE
[auth]
 type = LDAP
[ldap]
  server      = ldap://localhost:10389
  username    = cn=abc def,ou=user,dc=myorg,dc=com
  accountBase = ou=user,dc=myorg,dc=com
  groupBase   = ou=user,dc=myorg,dc=com
  referral    = follow
  accountFullName = cn
  accountEmailAddress = mail

[sendemail]
  smtpServer = localhost
[container]
  user = gerrit2
  javaHome = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.71.x86_64/jre
[sshd]
  listenAddress = *:29418
[httpd]
  listenUrl = http://*:8080/
[cache]
  directory = cache

Error is Permission denied (Public key).

--------------------------------
Edit:
ssh logs show me:

user.name - AUTH FAILURE FROM <ip> user-not-found.

Here, there's a punch. In gerrit DB, username:user.name entry specifies the username that can log on over ssh, with ldap, this entry is not there. Only gerrit:user.name gets created. May be because of this, gerrit is not authorizing my pubkey as it did not find the user.name entry in DB. Any work around for this?

---------------------------------
Edit 2: I realised that I need to set an attribute to get the ssh credentials created during first login:

[ldap]
    accountSshUserName = ${cn}

However, the issue here is, for the very FIRST LOGIN (i.e., the admin login right after gerrit setup), this ssh account does not get created, however, for rest of the subsequent new user login, this account is very well created, as below:

+------------+----------------------------------+----------+--------------------------+
| account_id | email_address                    | password | external_id              |
+------------+----------------------------------+----------+--------------------------+
|          2 | user2.name2@commonfloor.com      | NULL     | gerrit:user2.name2       |
|          1 | user1.name1@commonfloor.com      | NULL     | gerrit:user1.name1       |
|          2 | NULL                             | NULL     | username:user2.name2     |
+------------+----------------------------------+----------+--------------------------+

Any idea why is this aberration? Is this a bug?

Yo Yo Money Singh
  • 679
  • 3
  • 11
  • 22
  • Authenticate ssh from ldap? I am not sure how that would work, since ssh uses public/private keys, which seems quite different from the username/password of http or ldap auth. LDAP auth should mean http(s) only. – VonC Dec 01 '14 at 12:18
  • True that. However, I just made a guess. Not sure why is this problem coming. – Yo Yo Money Singh Dec 01 '14 at 12:21
  • Only anonymous cloning over HTTP is happening. Cloning over ssh or authorized HTTP is not happening. – Yo Yo Money Singh Dec 01 '14 at 12:23
  • ssh should be independent of the auth scheme. https should work. Any chance you can look at the server logs (either log from the frontend, or from Gerrit server itself) – VonC Dec 01 '14 at 12:24
  • ssh -p 29418 user@domain.com isn't working either. The error I get is Permission denied (Public key). However, my public keys are perfectly fine. – Yo Yo Money Singh Dec 01 '14 at 12:27
  • ssh logs show me: user.name - AUTH FAILURE FROM user-not-found. Here, there's a punch. in gerrit DB, username:user.name specifies the username that can log on over ssh, with ldap, this entry is not there. only gerrit:user.name gets created. May be because of this, gerrit is not authorizing my pubkey. – Yo Yo Money Singh Dec 01 '14 at 13:12
  • 1
    You could confirm that with a `ssh -Tvvv -p 29418 user@domain.com` – VonC Dec 01 '14 at 13:34
  • @YoYoMoneySingh will SSH clone link appear if accountSshUserName = ${cn} added after admin user is created (very first login)? In my case new users are having HTTP only still. SSH clone works, Gerrit doesn't show SSH clone link on general repository view. – Ilia Shakitko May 13 '16 at 00:17
  • In your user profile, had you set a user name? It is possible to create an account without a user name. ssh needs a user name in order to connect. – Alan Green May 01 '19 at 09:34

0 Answers0