Merge branch 'stable-2.11' into stable-2.12

* stable-2.11:
  Document that ldap.groupBase and ldap.accountBase are repeatable
  OAuth-Linking: Don't create new account when claimed identity unknown
  Update 2.11.5 release notes to mention forked buck
  Revert "Update buck to ba9f239f69287a553ca93af76a27484d83693563"

Change-Id: I76b92f8fb11cd2f16e6870e3bd219c454a5bfad8

Documentation/config-gerrit.txt

@@ -2538,6 +2538,9 @@ server to respond until the TCP connection times out.
 +
 Root of the tree containing all user accounts.  This is typically
 of the form `ou=people,dc=example,dc=com`.
++
+This setting may be added multiple times to specify more than
+one root.
 
 [[ldap.accountScope]]ldap.accountScope::
 +
@@ -2649,6 +2652,9 @@ Active Directory.
 +
 Root of the tree containing all group objects.  This is typically
 of the form `ou=groups,dc=example,dc=com`.
++
+This setting may be added multiple times to specify more than
+one root.
 
 [[ldap.groupScope]]ldap.groupScope::
 +

ReleaseNotes/ReleaseNotes-2.11.5.txt

@@ -9,6 +9,22 @@ https://gerrit-releases.storage.googleapis.com/gerrit-2.11.5.war]
 There are no schema changes from link:ReleaseNotes-2.11.4.html[2.11.4].
 
 
+Important Notes
+---------------
+
+*WARNING:* This release uses a forked version of buck.
+
+Buck was forked to cherry-pick an upstream fix for building on Mac OSX
+El Capitan.
+
+To build this release from source, the Google repository must be added to
+the remotes in the buck checkout:
+
+----
+ $ git remote add google https://gerrit.googlesource.com/buck
+----
+
+
 Bug Fixes
 ---------
 

gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OAuthSessionOverOpenID.java

@@ -125,18 +125,33 @@ class OAuthSessionOverOpenID {
     try {
       String claimedIdentifier = user.getClaimedIdentity();
       Account.Id actualId = accountManager.lookup(user.getExternalId());
-      // Use case 1: claimed identity was provided during handshake phase
+      Account.Id claimedId = null;
+
+      // We try to retrieve claimed identity.
+      // For some reason, for example staging instance
+      // it may deviate from the really old OpenID identity.
+      // What we want to avoid in any event is to create new
+      // account instead of linking to the existing one.
+      // That why we query it here, not to lose linking mode.
       if (!Strings.isNullOrEmpty(claimedIdentifier)) {
-        log.debug("Claimed identity is set");
+        claimedId = accountManager.lookup(claimedIdentifier);
-        Account.Id claimedId = accountManager.lookup(claimedIdentifier);
+        if (claimedId == null) {
-        if (claimedId != null && actualId != null) {
+          log.debug("Claimed identity is unknown");
+        }
+      }
+
+      // Use case 1: claimed identity was provided during handshake phase
+      // and user account exists for this identity
+      if (claimedId != null) {
+        log.debug("Claimed identity is set and is known");
+        if (actualId != null) {
           if (claimedId.equals(actualId)) {
             // Both link to the same account, that's what we expected.
             log.debug("Both link to the same account. All is fine.");
           } else {
             // This is (for now) a fatal error. There are two records
-            // for what might be the same user.
+            // for what might be the same user. The admin would have to
-            //
+            // link the accounts manually.
             log.error("OAuth accounts disagree over user identity:\n"
                 + "  Claimed ID: " + claimedId + " is " + claimedIdentifier
                 + "\n" + "  Delgate ID: " + actualId + " is "
@@ -144,7 +159,7 @@ class OAuthSessionOverOpenID {
             rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
             return;
           }
-        } else if (claimedId != null && actualId == null) {
+        } else {
           // Claimed account already exists: link to it.
           log.debug("Claimed account already exists: link to it.");
           try {