Using multiple ldap or AD domains for gerrit authentication
- Details
- Category: Blog
- Published: Thursday, 17 November 2022 16:15
- Written by Lars Berntzon
- Hits: 1904
As far as I know its not directly possible to use multiple LDAP/AD domains for
authentication with gerrit.
You can use multiple LDAP/AD servers but that is only for redundancy.
In order to be able to login from multiple domains then one way is to use a
proxying OpenLDAP server.
In our case this server has its own local user database - which we needed for
historical reasons and also to be able to add local users without having those
accounts in AD.
The setup requires the use of both the ldap and the meta ldap databases.
The meta-database handles rewriting and parsing of login and accounts from
one domain and schema to AD schema.
Lets say in this scenario we have following DIT:s:
Active directory domain: OU=Users,DC=company,DC=com
Local ldap domain: OU=People,DC=local,DC=domain
You want to allow people to login to gerrit from both the local ldap account and from the AD domain.
Then three databases are needed in the slapd.conf file.
First database, a pure proxying for the AD domain as:
# Proxy to real NGAD AD
database ldap
suffix "OU=Users,DC=company,DC=com"
uri "ldap://local.domain/"
lastmod off
Second database, a meta database that gerrit uses to lookup the real DN given only the login name. This real DN is then used for the final authentication. This authentication is made to the same ldap server so that is why this ldap also need to proxy the pure AD DIT.
This is a subordinate domain meaning lookups with be done in this domain first. It has a dummy sub-DIT as it would collide with the top DIT otherwise. It looks like:
# Settings for AD
database meta
suffix "OU=AD,OU=People,DC=local,DC=domain" <- Note the extra sub OU=AD
subordinate
uri "ldap://local.domain/OU=AD,OU=People,DC=local,DC=domain"
rewriteEngine on
rewriteContext searchBase
rewriteRule "OU=AD,OU=People,DC=local,DC=domain" "OU=Users,DC=company,DC=com" ":"
rewriteContext searchFilter
rewriteRule ".uid=(.*)." "(samaccountname=%1)" ":"
idassert-bind bindmethod=simple
binddn="CN=Nisse Hult,OU=Users,DC=company,DC=com" <- This should be a real AD account.
credentials="password-for-Nisse-Hult"
overlay rwm
rwm-map attribute uid sAMAccountName
Finally a local database for local accounts as:
# Local overlay LDAP
database mdb
suffix "DC=local,DC=domain"
directory "/var/lib/ldap"
rootdn "CN=admin,DC=local,DC=domain"
rootpw "{SSHA}jwd892ej8jfdf2df83f" <- encrypted password for cn=admin, created with slappasswd
Except from the above, all "normal" slapd configs must also be in place. I basically just
used the example config with the addition that the rwm overlay and the meta and ldap databases modules must also be loaded like:
moduleload back_ldap
moduleload back_meta
moduleload rwm
I have not tried to convert this to config directory format config allowing configuration changes directly via ldapmodify
but I assume that should work fine also.