Glad to hear it! It’s not so much that we don’t require escaping as it is that gitblit does. It’s a requirement on their end due to something involving their configuration file format.
Christian On Sun, Nov 24, 2019 at 23:23 Valentin Kragelj <[email protected]> wrote: > Yes, that worked beautifully. I just had to change "domain\\username" to > "domain\username", nothing else. > > You mentioned you don't require to escape backslash. Is there a > documentation stating this that I can read about? Maybe there is written > some else important things I should know about. > > > > On Friday, 22 November 2019 23:22:10 UTC+1, Christian Hammond wrote: >> >> Hi Valentin, >> >> I'm really not sure about this, but can you try using only a single >> backslash in that username? If you're going for a DOMAIN\username form, I >> think Gitblit requires that you escape the backslash, hence the "\\". We >> don't have that requirement. >> >> Christian >> >> On Fri, Nov 22, 2019 at 12:28 AM Valentin Kragelj <[email protected]> >> wrote: >> > I want to setup LDAP in ReviewBoard. We already have Polarion and Gitblit >>> servers set up, that use LDAP, so I got their LDAP settings. Can you help >>> me how to fill the Review Board settings for LDAP, so they will be the same >>> as other server's LDAP settings? >>> >>> >>> *Polarion LDAP settings are in attached picture Capture0.jpg and here >>> *(changed >>> some fields for obvious security reasons): >>> >>>> ldap.bind.password=[REMOVED, here is some password] >>>> >>>> >>>>> # Enable the new-account-form feature by setting the >>>>> enableCreateAccountForm property below to true. >>>> >>>> # This feature enables users to create a new Polarion account without >>>>> an admin's assistance. >>>> >>>> # Users created this way will be assigned a license user slot defined >>>>> by the licenseForNewUserAccount property. >>>> >>>> # For this feature to work properly the Polarion system user (defined >>>>> in the "login" property above) >>>> >>>> # must have write access to the following 2 folders in the Subversion >>>>> repository: >>>> >>>> # /.polarion/user-management/users >>>> >>>> # /.polarion/security >>>> >>>> # >>>> >>>> # When enableCreateAccountForm is set to true, use these properties: >>>> >>>> # - minimalPasswordLength=<int> to specify the minimum length of >>>>> user-defined passwords >>>> >>>> >>>>> # - rolesForNewUserAccount (documented later in this file) >>>> >>>> # >>>> >>>> enableCreateAccountForm=false >>>> >>>> minimalPasswordLength=4 >>>> >>>> >>>>> # Specifies global roles that will be assigned to new users created >>>>> either by the new-account-form, >>>> >>>> # or using the LDAP synchronization feature. The value is a >>>>> comma-separated list of global roles. >>>> >>>> # Default value is "user". >>>> >>>> # ** IMPORTANT: Make sure that at least the 'user' role is in the list, >>>>> or else users will not be able to log in. ** >>>> >>>> rolesForNewUserAccount=user >>>> >>>> >>>>> # The following properties control the license assignment for >>>>> automatically created user accounts: >>>> >>>> # - >>>>> licenseForNewUserAccount=<named/concurrent><Reviewer/Pro/Requirements/QA/ALM> >>>>> OR >>>>> <concurrent><Reviewer/Pro/Requirements/QA/ALM>[<Group><name_of_the_group>] >>>> >>>> # to specify which type of license will be used (in installations >>>>> where more than one license type is present on server) >>>> >>>> # for new users created in the following ways: >>>> >>>> # * Created via the Create Account form >>>> >>>> # * Created by the auto-create feature >>>> >>>> # * Created by LDAP synchronization >>>> >>>> # The "lowest" license type present will be used by default if >>>>> this property is not specified. >>>> >>>> # Examples: namedReviewer, concurrentALM OR >>>>> concurrentALMGroupDepartmentA >>>> >>>> # >>>> >>>> # - disableLicenseAssignmentInLDAPSynchronize=<true or false> to >>>>> explicitly enable or disable assignment of license to users >>>> >>>> # during LDAP synchronization. >>>> >>>> # >>>> >>>> # - disableLicenseAssignmentInAutocreate=<true or false> to >>>>> explicitly enable or disable assignment of license to auto-created users. >>>> >>>> # >>>> >>>> licenseForNewUserAccount= >>>> >>>> # >>>> >>>> # Set the following disableLicenseAssignmentInLDAPSynchronize=<true or >>>>> false> to explicitly >>>> >>>> # enable or disable license assignment to users during LDAP >>>>> synchronization: >>>> >>>> # disableLicenseAssignmentInLDAPSynchronize=true >>>> >>>> # >>>> >>>> # Set the following disableLicenseAssignmentInAutocreate=<true or >>>>> false> to explicitly enable or disable >>>> >>>> # license assignment to users created by the auto-create feature: >>>> >>>> # disableLicenseAssignmentInAutocreate=true >>>> >>>> >>>>> # CFR 21 Part 11 compatible e-Signatures >>>> >>>> # >>>> >>>> # The portal will display a dialog asking for a password when certain >>>>> user actions are invoked by the user. >>>> >>>> # These user actions are: >>>> >>>> # - invoking a Work Item or a Test Run workflow action that has the >>>>> Requires Signature flag set (in workflow administration) >>>> >>>> # - approving/disapproving a Work Item when "secure.approvals" is set >>>>> to true >>>> >>>> # - signing/declining of a Document workflow transition >>>> >>>> # - executing a Test Case in a Test Run when the flag "Requires >>>>> Signature for Test Case execution" is set (in Test Run Types >>>>> administration) >>>> >>>> # >>>> >>>> # Additional properties "secure.dialog.title" and >>>>> "secure.dialog.message" may be added below and used to specify >>>> >>>> # the title of the password entry dialog and the message shown there, >>>>> thereby overriding the system's default >>>> >>>> # title and message for the dialog. >>>> >>>> secure.approvals=false >>>> >>>> >>> >>> *Polarion apache settings* (removed some settings for obvious security >>> reasons): >>> >>>> <IfModule mod_authnz_ldap.c> >>>> >>>> >>>>> # Authenticate against both passwd file and LDAP >>>> >>>> # - allows to combine Polarion-only users with organization-wide users >>>> >>>> AuthBasicProvider file ldap >>>> >>>> >>>>> # LDAP search URL >>>> >>>> # - LDAP port is 389 >>>> >>>> # - use ldaps:// for secure LDAP (with port 636) >>>> >>>> # - basedn is the DN of the directory (sub)tree to search in >>>> >>>> # - attribute is the name of user id attribute (used as "Login Name" in >>>>> Polarion) >>>> >>>> # - scope is the search scope ("sub" for whole subtree under basedn) >>>> >>>> # - fiter is the search filter >>>> >>>> # - see more examples below >>>> >>>> #AuthLDAPURL "ldap://host:port/basedn?attribute?scope?filter"; >>>> >>>> >>>>> # OpenLDAP and other directories using RFC-2798-compliant >>>>> inetOrgPerson object class >>>> >>>> #AuthLDAPURL >>>>> "ldap://host:port/dc=company,dc=com?uid?sub?(objectclass=inetOrgPerson)" >>>> >>>> >>>>> # Active Directory >>>> >>>> #AuthLDAPURL >>>>> "ldap://host:port/cn=users,dc=company,dc=com?sAMAccountName?sub?(objectclass=user)" >>>> >>>> #AuthLDAPURL >>>>> "ldap://sisiaddc01.itc.global.mahle:389/OU=MAHLE,DC=itc,DC=global,DC=mahle?sAMAccountName?sub?(objectclass=user)" >>>> >>>> AuthLDAPURL "ldap://[SOME OUR >>>>> IP]/OU=[SOME],DC=itc,DC=global,DC=[SOME]?sAMAccountName?sub?(objectclass=user)" >>>> >>>> #AuthLDAPURL "ldap://[SOME OUR >>>>> IP]/OU=[SOME],DC=itc,DC=global,DC=[SOME]?sAMAccountName?sub?(objectclass=user)" >>>> >>>> >>>>> # The user and password used to login to LDAP server to perform the >>>>> searches >>>> >>>> # - required by Active Directory >>>> >>>> #AuthLDAPBindDN "cn=[USER],cn=users,dc=company,dc=com" >>>> >>>> #AuthLDAPBindPassword "[PASSWORD]" >>>> >>>> AuthLDAPBindDN >>>>> "CN=S0002937,OU=system,OU=user,OU=si,OU=si,OU=[SOME],DC=itc,DC=global,DC=[SOME]" >>>> >>>> AuthLDAPBindPassword "[SOME OUR PASSWORD]" >>>> >>>> #Uncomment this when "500 Server failed" is returned and Apache's log >>>>> contains error >>>> >>>> #"This function has not been implemented on this platform: AH01277: >>>>> LDAP: Unable to add rebind cross reference entry. Out of memory?" >>>> >>>> LDAPReferrals Off >>>> >>>> >>>> >>>> </IfModule> >>>> >>>> >>> >>> *Gitblit server* (removed some settings for obvious security reasons): >>> >>>> # URL of the LDAP server. >>> >>> # To use encrypted transport, use either ldaps:// URL for SSL or >>>> ldap+tls:// to >>> >>> # send StartTLS command. >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.server = ldap://[OUR LDAP SeRVER] >>> >>> >>>> # Login username for LDAP searches. >>> >>> # If this value is unspecified, anonymous LDAP login will be used. >>> >>> # >>> >>> # e.g. mydomain\\username >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.username = itc\\S0002937 >>> >>> >>>> # Login password for LDAP searches. >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.password = [SOME PASSWORD] >>> >>> >>>> # Bind pattern for Authentication. >>> >>> # Allow to directly authenticate an user without LDAP Searches. >>> >>> # >>> >>> # e.g. >>>> CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain >>> >>> # >>> >>> # SINCE 1.5.0 >>> >>> realm.ldap.bindpattern = >>> >>> >>>> >>>> # Delegate team membership control to LDAP. >>> >>> # >>> >>> # If true, team user memberships will be specified by LDAP groups. This >>>> will >>> >>> # disable team selection in Edit User and user selection in Edit Team. >>> >>> # >>> >>> # If false, LDAP will only be used for authentication and Gitblit will >>>> maintain >>> >>> # team memberships with the *realm.ldap.backingUserService*. >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.maintainTeams = false >>> >>> >>>> # Root node for all LDAP users >>> >>> # >>> >>> # This is the root node from which subtree user searches will begin. >>> >>> # If blank, Gitblit will search ALL nodes. >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.accountBase = OU=[SOME],DC=itc,DC=global,DC=[SOME] >>> >>> >>>> # Filter criteria for LDAP users >>> >>> # >>> >>> # Query pattern to use when searching for a user account. This may be >>>> any valid >>> >>> # LDAP query expression, including the standard (&) and (|) operators. >>> >>> # >>> >>> # Variables may be injected via the ${variableName} syntax. >>> >>> # Recognized variables are: >>> >>> # ${username} - The text entered as the user name >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.accountPattern = >>>> (&(objectClass=person)(sAMAccountName=${username})) >>> >>> >>>> # Root node for all LDAP groups to be used as Gitblit Teams >>> >>> # >>> >>> # This is the root node from which subtree team searches will begin. >>> >>> # If blank, Gitblit will search ALL nodes. >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.groupBase = OU=[SOME],DC=itc,DC=global,DC=[SOME] >>> >>> >>>> # Filter criteria for LDAP groups >>> >>> # >>> >>> # Query pattern to use when searching for a team. This may be any valid >>> >>> # LDAP query expression, including the standard (&) and (|) operators. >>> >>> # >>> >>> # Variables may be injected via the ${variableName} syntax. >>> >>> # Recognized variables are: >>> >>> # ${username} - The text entered as the user name >>> >>> # ${dn} - The Distinguished Name of the user logged in >>> >>> # >>> >>> # All attributes from the LDAP User record are available. For example, >>>> if a user >>> >>> # has an attribute "fullName" set to "John", "(fn=${fullName})" will be >>> >>> # translated to "(fn=John)". >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn})) >>> >>> >>>> # Filter criteria for empty LDAP groups >>> >>> # >>> >>> # Query pattern to use when searching for an empty team. This may be any >>>> valid >>> >>> # LDAP query expression, including the standard (&) and (|) operators. >>> >>> # >>> >>> # default: (&(objectClass=group)(!(member=*))) >>> >>> # SINCE 1.4.0 >>> >>> realm.ldap.groupEmptyMemberPattern = (&(objectClass=group)(!(member=*))) >>> >>> >>>> # LDAP users or groups that should be given administrator privileges. >>> >>> # >>> >>> # Teams are specified with a leading '@' character. Groups with spaces >>>> in the >>> >>> # name can be entered as "@team name". This setting only applies when >>>> using >>> >>> # LDAP to maintain team memberships. >>> >>> # >>> >>> # e.g. realm.ldap.admins = john @git_admins "@git admins" >>> >>> # >>> >>> # SPACE-DELIMITED >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.admins = @Git_Admins >>> >>> >>>> # Attribute(s) on the USER record that indicate their display (or full) >>>> name. >>> >>> # Leave blank for no mapping available in LDAP. >>> >>> # >>> >>> # This may be a single attribute, or a string of multiple attributes. >>>> Examples: >>> >>> # displayName - Uses the attribute 'displayName' on the user record >>> >>> # ${personalTitle}. ${givenName} ${surname} - Will concatenate the 3 >>> >>> # attributes together, with a '.' after personalTitle >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.displayName = displayName >>> >>> >>>> # Attribute(s) on the USER record that indicate their email address. >>> >>> # Leave blank for no mapping available in LDAP. >>> >>> # >>> >>> # This may be a single attribute, or a string of multiple attributes. >>>> Examples: >>> >>> # email - Uses the attribute 'email' on the user record >>> >>> # ${givenName}.${[email protected] -Will concatenate the 2 attributes >>> >>> # together with a '.' and '@' creating something like >>>> [email protected] >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.email = email >>> >>> >>>> # Attribute on the USER record that indicate their username to be used >>>> in gitblit >>> >>> # when synchronizing users from LDAP >>> >>> # if blank, Gitblit will use uid >>> >>> # For MS Active Directory this may be sAMAccountName >>> >>> # >>> >>> # SINCE 1.0.0 >>> >>> realm.ldap.uid = uid >>> >>> >>>> # Defines whether to synchronize all LDAP users and teams into the user >>>> service >>> >>> # >>> >>> # Valid values: true, false >>> >>> # If left blank, false is assumed >>> >>> # >>> >>> # SINCE 1.4.0 >>> >>> realm.ldap.synchronize = false >>> >>> >>>> # Defines the period to be used when synchronizing users and teams from >>>> ldap. >>> >>> # >>> >>> # Must be of the form '<long> <TimeUnit>' where <TimeUnit> is one of >>>> 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS' >>> >>> >>>> # default: 5 MINUTES >>> >>> # >>> >>> # RESTART REQUIRED >>> >>> # SINCE 1.4.0 >>> >>> realm.ldap.syncPeriod = 15 MINUTES >>> >>> >>>> # Defines whether to delete non-existent LDAP users from the user >>>> service >>> >>> # during synchronization. depends on realm.ldap.synchronize = true >>> >>> # >>> >>> # Valid values: true, false >>> >>> # If left blank, true is assumed >>> >>> # >>> >>> # SINCE 1.4.0 >>> >>> realm.ldap.removeDeletedUsers = true >>> >>> >>> >>> >>> >>> So far, I filled Review Board LDAP settings like in *Capture1.jpg and >>> Capture2.jpg*, but when I try to log in I get error "Error >>> authenticating with LDAP: The credentials provided for "itc\\S0002937" are >>> invalid." I am sure LDAP bind password is correct, i typed it multiple >>> times. >>> >>> >>> Happy for any offered help! >>> >>> -ValeV >>> >> -- >>> Supercharge your Review Board with Power Pack: >>> https://www.reviewboard.org/powerpack/ >>> Want us to host Review Board for you? Check out RBCommons: >>> https://rbcommons.com/ >>> Happy user? Let us know! https://www.reviewboard.org/users/ >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Review Board Community" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/reviewboard/c9d1050d-00fe-42d7-9efd-6e1c220b7927%40googlegroups.com >>> <https://groups.google.com/d/msgid/reviewboard/c9d1050d-00fe-42d7-9efd-6e1c220b7927%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Christian Hammond >> President/CEO of Beanbag <https://www.beanbaginc.com/> >> Makers of Review Board <https://www.reviewboard.org/> >> > -- > Supercharge your Review Board with Power Pack: > https://www.reviewboard.org/powerpack/ > Want us to host Review Board for you? Check out RBCommons: > https://rbcommons.com/ > Happy user? Let us know! https://www.reviewboard.org/users/ > --- > You received this message because you are subscribed to the Google Groups > "Review Board Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/reviewboard/a7a8e7a4-a6fb-4cea-8140-8e2aebccf6fd%40googlegroups.com > <https://groups.google.com/d/msgid/reviewboard/a7a8e7a4-a6fb-4cea-8140-8e2aebccf6fd%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- Christian Hammond President/CEO of Beanbag Makers of Review Board -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "Review Board Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/CAE7VndkFKZJg3QpHK6OiJSXQEg1REZUmTAe3HokSG0ZO5FL98w%40mail.gmail.com.
