Synchronize account inactive flag with LDAP auth

Implement the capability to automatically synchronize an account's active/inactive flag with the authentication back-end. This change is intended to remove the manual steps involved with activating/deactivating Gerrit accounts when their status changes in the authentication back-end. Upon interactive login, an account's inactive flag should be updated accordingly, and the login attempt should succeed/fail accordingly. To maintain backwards compatibility, this feature is by default disabled, and can be enabled within gerrit.config for supported authentication back-ends. Currently, it is implemented only for LDAP. Change-Id: I9dc124473ec6c83c369a9eee278bc07fa7cf3d4c
2017-06-14 10:04:00 -04:00
parent df2b315886
commit c24f7246dd
4 changed files with 69 additions and 4 deletions
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -628,6 +628,18 @@ enable registration of new email addresses.
 +
 By default, true.

+[[auth.autoUpdateAccountActiveStatus]]auth.autoUpdateAccountActiveStatus::
+
+Whether to allow automatic synchronization of an account's inactive flag upon login.
+If set to true, upon login, if the authentication back-end reports the account as active,
+the account's inactive flag in the internal Gerrit database will be updated to be active.
+If the authentication back-end reports the account as inactive, the account's flag will be
+updated to be inactive and the login attempt will be blocked. Users enabling this feature
+should ensure that their authentication back-end is supported. Currently, only
+strict 'LDAP' authentication is supported.
+
+By default, false.
+
 [[cache]]
 === Section cache