Tag Archives: #Gerrit

Again, a few servers are downed at simulakrum.org!

Today, another wave of electrical power spikes, probably due to the activities of the electro-distribution company in close neighborhood, successfully burned another of my hard-disks, this a time a model I have no spare for at the moment – a Western Digital Raptor.

The part of the development suite we were using here went with the disk, gerrit.simulakrum.org and jenkins.simulakrum.org in particular. Some of the IRC services for ircer.simulakrum.org used that disk, too.

I won’t be able to recover those from backups for at least ten days, and I hereby apologise to users for this unpredicted annoyance.

Digitally communicating from Bosnia once more proved to be a task that is not easily and comfortably accomplished.

Integrate OpenLDAP groups and Gerrit 2.8.3

There had been a few changes regarding group organisation in the Gerrit’s schema after version 2.4, so versions newer than 2.5 will not have the “ldap” type in ls-groups search:

gerrit@continuum $ ssh -p 29418 gerrit.simulakrum.org gerrit ls-groups –type system
Anonymous Users
Project Owners
Registered Users

gerrit@continuum $ ssh -p 29418 gerrit.simulakrum.org gerrit ls-groups –type ldap
fatal: “ldap” is not a valid value for “–type”

This affects the searches in the WebGUI, too, and also implicates that a slightly different organisation of groups is necessary in Gerrit, starting from version 2.5. Tune your [ldap] section for OpenLDAP, so you could use groups from OpenLDAP as groups in Gerrit:

server = ldaps://openldap.example.com:636
sslVerify = false
referral = follow
username = cn=gerritproxy,ou=people,dc=example,dc=com
accountScope = subtree
accountBase = ou=people,dc=example,dc=com
accountPattern = (&(objectClass=person)(cn=${username}))
accountFullName = ${givenName} ${sn}
accountEmailAddress = mail
accountSshUserName =
groupScope = subtree
groupBase = ou=groups,dc=example,dc=com
groupPattern = (&(objectClass=groupOfNames)(cn=${groupname}))
groupMemberPattern = (member=${dn})

If the groups are read, once you start typing the name of the group from OpenLDAP, prefixed by “ldap/…”, the group name completion will be offered by Gerrit, just like it is for internal and system groups:

Screenshot from 2014-03-31 06:09:31

With this, the groups should be usable through Gerrit, and the only problem I found with version 2.8.3 is inability to somehow pull and populate the username from any of the OpenLDAP data, thus the accountSshUserName had to be unset (as can be seen above on the excerpt from the gerrit.config) so the user has to set it on the first log-in. Otherwise, no “account_external_ids” would be written in the database, and the user couldn’t use ssh and https access, even with the rest of the data in place.


P.S. if you play with asterisks, as discussed here, make sure you actually made what you intended: asterisks in Gerrit’s searches are happily expanded to the max, allowing everyone do everything, which is hardly acceptable!

Prepare Eclipse for gerrit.simulakrum.org

There are a few things that should be done before Eclipse is ready for communication with gerrit.simulakrum.org. The http.sslVerify = false directive shoud be add in ~/.gitconfig, either directly editing ~/.gitconfig:

vanja@ip:~> grep -B 1 sslVerify ~/.gitconfig
sslVerify = false

or changing the file using the appropriate tool:

vanja@ip:~> git config –global http.sslVerify false

If a firewall is blocking Gerrit port 29418, and the set up allows only http/https combination, communication with Gerrit can be achieved through a proxy over https. First, log into Gerrit and generate an http password under settings.

I used a Tor/polipo combination to simulate a necessity for proxy here:

vanja@ip:~> netstat -an -A inet | grep LISTEN | egrep ‘9050|8123’
tcp        0      0*               LISTEN
tcp        0      0*               LISTEN

and started Eclipse after exporting proxy variables:

vanja@ip:~> cat Scripts/eclipse.sh
export http_proxy=”″
export https_proxy=”″
./bin/Eclipse/eclipse/eclipse &

Use http_proxy and https_proxy variables of your proxy there. For the address in Import >> Git >> Projects from Git >> URI menu use:


and for user name and password use your LDAP username and the password you generated in Gerrit. Finally, add the commit-msg and set the value of gerrit.createchangeid to true in Eclipse:

Screenshot from 2014-03-28 18:08:51  Screenshot from 2014-03-28 20:23:22

Notice that for test1.git, Eclipse should push to refs/heads/*:refs/for/*

That should be all for initial preparations of Eclipse for gerrit.simulakrum.org. Plenty of other settings could be fine-tuned, but the above-mentioned are specific and necessary for Eclipse to reach repos at gerrit.simulakrum.org over https, if ssh is not available.