Gerrit对接LDAP

当前部署的gerrit实例使用的 HTTP基本身份验证，即gerrit.config中的auth.type 字段为 HTTP

1、修改gerrit.config

[auth]
        type = LDAP
        gitBasicAuthPolicy = LDAP
[ldap]
        server = ldap://ldap.mydomain.com:636
        username = <user_uid>

        accountBase = ou=用户,dc=byd,dc=com
        accountFullName = displayName
        accountEmailAddress = mail

2、编辑secure.config

[ldap]
    password = <user_password>

3、修改修改docker-compose.yml，注释掉 httpd部分
4、重启

# 停止
docker-compose down
# 启动
docker-compose up -d

5、访问地址

• HTTP_LDAP
  Exactly like HTTP (above), but additionally Gerrit pre-populates a user’s full name and email address based on information obtained from the user’s account object in LDAP. The user’s group membership is also pulled from LDAP, making any LDAP groups that a user is a member of available as groups in Gerrit. Hence the _LDAP suffix in the name of this authentication type. Gerrit does NOT authenticate the user via LDAP.

  与上面的HTTP完全相同，但Gerrit根据从LDAP中的用户帐户对象获得的信息预填充用户的全名和电子邮件地址。用户的组成员关系也从LDAP中提取，使得用户所属的任何LDAP组都可以作为Gerrit中的组使用。因此，在此身份验证类型的名称中使用_LDAP后缀。Gerrit不通过LDAP认证用户。

• CLIENT_SSL_CERT_LDAP
  This authentication type is actually kind of SSO. Gerrit will configure Jetty’s SSL channel to request the client’s SSL certificate. For this authentication to work a Gerrit administrator has to import the root certificate of the trust chain used to issue the client’s certificate into the <review-site>/etc/keystore. After the authentication is done Gerrit will obtain basic user registration (name and email) from LDAP, and some group memberships. Hence the _LDAP suffix in the name of this authentication type. Gerrit does NOT authenticate the user via LDAP. This authentication type can only be used under hosted daemon mode, and the httpd.listenUrl must use https:// as the protocol. Optionally, certificate revocation list file can be used at <review-site>/etc/crl.pem. For details, see httpd.sslCrl.

• LDAP
  Gerrit prompts the user to enter a username and a password, which it then verifies by performing a simple bind against the configured ldap.server. In this configuration the web server is not involved in the user authentication process.

  The actual username used in the LDAP simple bind request is the account’s full DN, which is discovered by first querying the directory using either an anonymous request, or the configured ldap.username identity. Gerrit can also use kerberos if ldap.authentication is set to GSSAPI.

  If auth.gitBasicAuthPolicy is set to HTTP, the randomly generated HTTP password is used for authentication. On the other hand, if auth.gitBasicAuthPolicy is set to HTTP_LDAP, the password in the request is first checked against the HTTP password and, if it does not match, it is then validated against the LDAP password. Service users that are internal-only are authenticated by their HTTP passwords.

  Gerrit提示用户输入用户名和密码，然后通过对配置的ldap.server执行简单绑定来验证。在这种配置中，web服务器不参与用户身份验证过程。

  LDAP简单绑定请求中使用的实际用户名是帐户的完整DN，这是通过使用匿名请求或配置的LDAP首先查询目录来发现的。用户名的身份。Gerrit也可以在ldap中使用kerberos。鉴权设置为GSSAPI。

  如果身份验证。giitbasicauthpolicy设置为HTTP时，使用随机生成的HTTP密码进行鉴权。另一方面，它是正确的。giitbasicauthpolicy设置为HTTP_LDAP，则首先根据HTTP密码检查请求中的密码，如果不匹配，则根据LDAP密码进行验证。仅限内部的业务用户使用HTTP密码进行认证。

• LDAP_BIND
  Gerrit prompts the user to enter a username and a password, which it then verifies by performing a simple bind against the configured ldap.server. In this configuration the web server is not involved in the user authentication process.

  Unlike LDAP above, the username used to perform the LDAP simple bind request is the exact string supplied in the dialog by the user. The configured ldap.username identity is not used to obtain account information.

参考链接：
https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.5/config-gerrit.html#ldap