Monorail Project: gerrit Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 89 users
Status: Accepted
Owner: ----



Sign in to add a comment
Use LDAP for ssh keys
Reported by rlan...@gmail.com, Sep 7 2011 Back to list
LDAP can hold ssh keys for users, using the openssh lpk schema. It should be possible to configure gerrit to use LDAP for ssh keys instead of its local database.
 
This is a much needed feature.
Comment 2 by sop@google.com, Apr 23 2012
Status: Accepted
The right way to implement this is going to be abstracting more of the account storage so we can just replace the SSH key management with LDAP queries. This means reading the keys for a user account directly from LDAP instead of from the SQL database, and disabling editing of SSH keys in the web UI, these should be managed through the LDAP system if Gerrit's accounts are backed by an LDAP server.

In the long run we should fix Gerrit so that when connected to an LDAP server, all user data comes from the LDAP server, rather than copying selected fields into the SQL database.
Comment 3 by djsza...@gmail.com, Apr 23 2012
I so much agree. This would be awesome to see to come to reality. Hope, someone picks this task ASAP. It would make the world more rounded on our side at least. :-)
Do we already have a change submitted for this issue?
Comment 5 by ji...@airtame.com, Nov 13 2014
With Google deprecating openid, a lot of people are going to switch to ldap, so this feature would make a lot of sense, I might have a hack at it if I get the time.

I take it that nobody has started working on it? My own implementation would be a crude hack that would forcibly synchronize the database backend with whatever is in ldap.
Comment 6 by m...@konqi.net, Nov 14 2014
@ji yes OpenId 2.0 is deprecated but it's successor OAuth 2.0 for Login (OpenID Connect) is and will still be maintained! I don't see why this should be a cause to migrate to LDAP?! 
The main problem I think is, that none of the default / common used LDAP schemes have support for ssh-key fields. You mostly need an additional scheme to be imported and mostly another administration for this. So to get to the point: This feature request is a valid one for me because ssh keys mainly adresses also console applications (commit) while OpenID mainly adresses Web-Applications (view web browser)
I'm using FreeIPA and I would love it if I could tell Gerrit that public ssh keys are stored as 'ipaSshPubKey' for each person. As long as the ssh config is flexible enough, it should't matter what schema the admin has chosen.
I hope I have misunderstood some of the comments suggesting that with the addition of supporting LDAP store of SSH keys, that gerrit will disable the user setting their SSH key in their profile. I would rather see it stated that this feature would allow support to SSH keys from LDAP "IN ADDITION TO" the local database rather than "instead of" the local database.

It would be great for gerrit to be able to use the SSH key stored in LDAP (I don't know any details of this feature) but users may want to use different SSH keys for different servers. It sounds like the way this feature is worded, it would be all LDAP or just the local database. 
I was about to leave a comment arguing for all three scenarios being valid. After getting one sentence in, the potential compromised security issue hit me. Although convenient it introduces single point of failure to the entire keyed infrastructure of your environment.
Comment 10 by m...@websys.io, Feb 25 2015
This is only holding a copy of the public ssh-key in gerrit database, like LDAP does.
I don't see more treat than the actual design.

We use more and more gerrit for enterpise, they like it, but the ldap integration need some love.
This is pretty much the missing feature so far.

We are also using LDAP for accounts managed by a Windows Server, so it would be great to be able to read the ssh public key on the LDAP server.
Project Member Comment 12 by logan@google.com, Aug 17 2016
Labels: Priority-3
Sign in to add a comment