Integrate OpenLDAP groups and Gerrit 2.8.3

There had been a few changes regarding group organisation in the Gerrit’s schema after version 2.4, so versions newer than 2.5 will not have the “ldap” type in ls-groups search:

gerrit@continuum $ ssh -p 29418 gerrit ls-groups –type system
Anonymous Users
Project Owners
Registered Users

gerrit@continuum $ ssh -p 29418 gerrit ls-groups –type ldap
fatal: “ldap” is not a valid value for “–type”

This affects the searches in the WebGUI, too, and also implicates that a slightly different organisation of groups is necessary in Gerrit, starting from version 2.5. Tune your [ldap] section for OpenLDAP, so you could use groups from OpenLDAP as groups in Gerrit:

server = ldaps://
sslVerify = false
referral = follow
username = cn=gerritproxy,ou=people,dc=example,dc=com
accountScope = subtree
accountBase = ou=people,dc=example,dc=com
accountPattern = (&(objectClass=person)(cn=${username}))
accountFullName = ${givenName} ${sn}
accountEmailAddress = mail
accountSshUserName =
groupScope = subtree
groupBase = ou=groups,dc=example,dc=com
groupPattern = (&(objectClass=groupOfNames)(cn=${groupname}))
groupMemberPattern = (member=${dn})

If the groups are read, once you start typing the name of the group from OpenLDAP, prefixed by “ldap/…”, the group name completion will be offered by Gerrit, just like it is for internal and system groups:

Screenshot from 2014-03-31 06:09:31

With this, the groups should be usable through Gerrit, and the only problem I found with version 2.8.3 is inability to somehow pull and populate the username from any of the OpenLDAP data, thus the accountSshUserName had to be unset (as can be seen above on the excerpt from the gerrit.config) so the user has to set it on the first log-in. Otherwise, no “account_external_ids” would be written in the database, and the user couldn’t use ssh and https access, even with the rest of the data in place.


P.S. if you play with asterisks, as discussed here, make sure you actually made what you intended: asterisks in Gerrit’s searches are happily expanded to the max, allowing everyone do everything, which is hardly acceptable!

Leave a Reply

Your email address will not be published. Required fields are marked *