Merge branch 'stable-2.11' into stable-2.12

* stable-2.11:
  Document that ldap.groupBase and ldap.accountBase are repeatable
  OAuth-Linking: Don't create new account when claimed identity unknown
  Update 2.11.5 release notes to mention forked buck
  Revert "Update buck to ba9f239f69287a553ca93af76a27484d83693563"

Change-Id: I76b92f8fb11cd2f16e6870e3bd219c454a5bfad8

gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OAuthSessionOverOpenID.java

@@ -125,18 +125,33 @@ class OAuthSessionOverOpenID {
     try {
       String claimedIdentifier = user.getClaimedIdentity();
       Account.Id actualId = accountManager.lookup(user.getExternalId());
-      // Use case 1: claimed identity was provided during handshake phase
+      Account.Id claimedId = null;
+
+      // We try to retrieve claimed identity.
+      // For some reason, for example staging instance
+      // it may deviate from the really old OpenID identity.
+      // What we want to avoid in any event is to create new
+      // account instead of linking to the existing one.
+      // That why we query it here, not to lose linking mode.
       if (!Strings.isNullOrEmpty(claimedIdentifier)) {
-        log.debug("Claimed identity is set");
-        Account.Id claimedId = accountManager.lookup(claimedIdentifier);
-        if (claimedId != null && actualId != null) {
+        claimedId = accountManager.lookup(claimedIdentifier);
+        if (claimedId == null) {
+          log.debug("Claimed identity is unknown");
+        }
+      }
+
+      // Use case 1: claimed identity was provided during handshake phase
+      // and user account exists for this identity
+      if (claimedId != null) {
+        log.debug("Claimed identity is set and is known");
+        if (actualId != null) {
           if (claimedId.equals(actualId)) {
             // Both link to the same account, that's what we expected.
             log.debug("Both link to the same account. All is fine.");
           } else {
             // This is (for now) a fatal error. There are two records
-            // for what might be the same user.
-            //
+            // for what might be the same user. The admin would have to
+            // link the accounts manually.
             log.error("OAuth accounts disagree over user identity:\n"
                 + "  Claimed ID: " + claimedId + " is " + claimedIdentifier
                 + "\n" + "  Delgate ID: " + actualId + " is "
@@ -144,7 +159,7 @@ class OAuthSessionOverOpenID {
             rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
             return;
           }
-        } else if (claimedId != null && actualId == null) {
+        } else {
           // Claimed account already exists: link to it.
           log.debug("Claimed account already exists: link to it.");
           try {