FreeIPA as ldap backend
Currently ldap backends configurations are limited to
Active Directory and RFC2307 compliant servers.
Commit bddb0234c7430fc322ddc959a75635d4b34bbc2e disabled ability
to modify accountMemberField for RFC2307 which in effect makes
FreeIPA non-usable because it uses nested groups.
The commit adds support for FreeIPA so Gerrit uses memberOf
attribute. The directory expands nested groups in account object
so group expansion in Gerrit is not necessary.
It is possible to change expansion of nested groups with
ldap.accountMemberExpandGroups config parameter. By default it is
set to true to keep current behavior and to false for FreeIPA.
Edit gerrit.config to enable it:
[auth]
type = LDAP
[ldap]
server = ldap://freeipa.example.com
username = uid=gerrit,cn=sysaccounts,cn=etc,dc=example
password = p1
accountBase = cn=users,cn=accounts,dc=example
groupBase = cn=groups,cn=accounts,dc=example
Username and password is required to read memberOf attribute
starting with FreeIPA version 4.
Change-Id: I0da7f2b22a723065b721c88178b933ecc965c345
diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 759e5cd..031f025 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -2679,9 +2679,9 @@
An example LDAP configuration follows, and then discussion of
the parameters introduced here. Suitable defaults for most
parameters are automatically guessed based on the type of server
-detected during startup. The guessed defaults support both
-link:http://www.ietf.org/rfc/rfc2307.txt[RFC 2307] and Active
-Directory.
+detected during startup. The guessed defaults support
+link:http://www.ietf.org/rfc/rfc2307.txt[RFC 2307], Active
+Directory and link:https://www.freeipa.org[FreeIPA].
----
[ldap]
@@ -2785,7 +2785,7 @@
is `(uid=${username})` or `(cn=${username})`, but the proper
setting depends on the LDAP schema used by the directory server.
+
-Default is `(uid=${username})` for RFC 2307 servers,
+Default is `(uid=${username})` for FreeIPA and RFC 2307 servers,
and `(&(objectClass=user)(sAMAccountName=${username}))`
for Active Directory.
@@ -2803,7 +2803,7 @@
If set, users will be unable to modify their full name field, as
Gerrit will populate it only from the LDAP data.
+
-Default is `displayName` for RFC 2307 servers,
+Default is `displayName` for FreeIPA and RFC 2307 servers,
and `${givenName} ${sn}` for Active Directory.
[[ldap.accountEmailAddress]]ldap.accountEmailAddress::
@@ -2846,17 +2846,25 @@
recommended not to make changes to this setting that would cause the
value to differ, as this will prevent users from logging in.
+
-Default is `uid` for RFC 2307 servers,
+Default is `uid` for FreeIPA and RFC 2307 servers,
and `${sAMAccountName.toLowerCase}` for Active Directory.
[[ldap.accountMemberField]]ldap.accountMemberField::
+
_(Optional)_ Name of an attribute on the user account object which
contains the groups the user is part of. Typically used for Active
-Directory servers.
+Directory and FreeIPA servers.
+
Default is unset for RFC 2307 servers (disabled)
-and `memberOf` for Active Directory.
+and `memberOf` for Active Directory and FreeIPA.
+
+[[ldap.accountMemberExpandGroups]]ldap.accountMemberExpandGroups::
++
+_(Optional)_ Whether to expand nested groups recursively. This
+setting is used only if `ldap.accountMemberField` is set.
++
+Default is unset for FreeIPA and `true` for RFC 2307 servers
+and Active Directory.
[[ldap.fetchMemberOfEagerly]]ldap.fetchMemberOfEagerly::
+
@@ -2866,7 +2874,7 @@
as this will result in a much faster LDAP login.
+
Default is unset for RFC 2307 servers (disabled) and `true` for
-Active Directory.
+Active Directory and FreeIPA.
[[ldap.groupBase]]ldap.groupBase::
+
@@ -2895,7 +2903,7 @@
`${groupname}` is replaced with the search term supplied by the
group owner.
+
-Default is `(cn=${groupname})` for RFC 2307,
+Default is `(cn=${groupname})` for FreeIPA and RFC 2307 servers,
and `(&(objectClass=group)(cn=${groupname}))` for Active Directory.
[[ldap.groupMemberPattern]]ldap.groupMemberPattern::
@@ -2913,7 +2921,7 @@
Attributes such as `${dn}` or `${uidNumber}` may be useful.
+
Default is `(|(memberUid=${username})(gidNumber=${gidNumber}))` for
-RFC 2307, and unset (disabled) for Active Directory.
+RFC 2307, and unset (disabled) for Active Directory and FreeIPA.
[[ldap.groupName]]ldap.groupName::
+
