Merge branch 'stable-3.0'

* stable-3.0:
  NewChangeSender: Set "References" header
  LDAP: support servers that do not allow anonymous
  Bump highlight.js version to 9.15.8 release

Change-Id: I61caf1db3da0ff5a3bfd4579a782dad8ac2b091c

Documentation/config-gerrit.txt

@@ -2984,6 +2984,14 @@ If true, Gerrit will perform StartTLS extended operation.
 +
 By default, false, StartTLS will not be enabled.
 
+[[ldap.supportAnonymous]]ldap.supportAnonymous::
++
+If false, Gerrit will provide credentials only at connection open, this is
+required for some `LDAP` implementations that do not allow anonymous bind
+for StartTLS or for reauthentication.
++
+By default, true.
+
 [[ldap.sslVerify]]ldap.sslVerify::
 +
 If false and ldap.server is an `ldaps://` style URL or `ldap.startTls`

java/com/google/gerrit/server/auth/ldap/Helper.java

@@ -73,6 +73,7 @@ class Helper {
   private final String password;
   private final String referral;
   private final boolean startTls;
+  private final boolean supportAnonymous;
   private final boolean sslVerify;
   private final String authentication;
   private volatile LdapSchema ldapSchema;
@@ -91,6 +92,7 @@ class Helper {
     this.password = LdapRealm.optional(config, "password", "");
     this.referral = LdapRealm.optional(config, "referral", "ignore");
     this.startTls = config.getBoolean("ldap", "startTls", false);
+    this.supportAnonymous = config.getBoolean("ldap", "supportAnonymous", true);
     this.sslVerify = config.getBoolean("ldap", "sslverify", true);
     this.groupsVisibleToAll = config.getBoolean("ldap", "groupsVisibleToAll", false);
     this.authentication = LdapRealm.optional(config, "authentication", "simple");
@@ -170,8 +172,15 @@ class Helper {
     if ("GSSAPI".equals(authentication)) {
       return kerberosOpen(env);
     }
+
+    if (!supportAnonymous && username != null) {
+      env.put(Context.SECURITY_PRINCIPAL, username);
+      env.put(Context.SECURITY_CREDENTIALS, password);
+    }
+
     LdapContext ctx = createContext(env);
-    if (username != null) {
+
+    if (supportAnonymous && username != null) {
       ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, username);
       ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
       ctx.reconnect(null);
@@ -201,12 +210,23 @@ class Helper {
   DirContext authenticate(String dn, String password) throws AccountException {
     final Properties env = createContextProperties();
     try {
+      env.put(Context.REFERRAL, referral);
+
+      if (!supportAnonymous) {
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, dn);
+        env.put(Context.SECURITY_CREDENTIALS, password);
+      }
+
       LdapContext ctx = createContext(env);
+
+      if (supportAnonymous) {
         ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
         ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
         ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
-      ctx.addToEnvironment(Context.REFERRAL, referral);
         ctx.reconnect(null);
+      }
+
       return ctx;
     } catch (IOException | NamingException e) {
       throw new AuthenticationFailedException("Incorrect username or password", e);

java/com/google/gerrit/server/mail/send/NewChangeSender.java

@@ -56,7 +56,9 @@ public abstract class NewChangeSender extends ChangeEmail {
   protected void init() throws EmailException {
     super.init();
 
-    setHeader("Message-ID", getChangeMessageThreadId());
+    String threadId = getChangeMessageThreadId();
+    setHeader("Message-ID", threadId);
+    setHeader("References", threadId);
 
     switch (notify.handling()) {
       case NONE: