Clarify HTTP_LDAP and CLIENT_SSL_CERT_LDAP
Update the configuration documentation and Javadoc of these auth types to make it explicitly clear that LDAP is only used to gather basic user information and groups, and not to authentiate the user. Bug: Issue 7086 Change-Id: Ie60cc34b014f9b77041f5b26e421bed728605949
This commit is contained in:
David Pursehouse
@@ -180,7 +180,9 @@ Exactly like `HTTP` (above), but additionally Gerrit pre-populates
|
||||
a user's full name and email address based on information obtained
|
||||
from the user's account object in LDAP. The user's group membership
|
||||
is also pulled from LDAP, making any LDAP groups that a user is a
|
||||
member of available as groups in Gerrit.
|
||||
member of available as groups in Gerrit. Hence the `_LDAP` suffix in
|
||||
the name of this authentication type. Gerrit does NOT authenticate
|
||||
the user via LDAP.
|
||||
+
|
||||
* `CLIENT_SSL_CERT_LDAP`
|
||||
+
|
||||
@@ -191,7 +193,8 @@ certificate of the trust chain used to issue the client's certificate
|
||||
into the <review-site>/etc/keystore.
|
||||
After the authentication is done Gerrit will obtain basic user
|
||||
registration (name and email) from LDAP, and some group memberships.
|
||||
Therefore, the "_LDAP" suffix in the name of this authentication type.
|
||||
Hence the `_LDAP` suffix in the name of this authentication type.
|
||||
Gerrit does NOT authenticate the user via LDAP.
|
||||
This authentication type can only be used under hosted daemon mode, and
|
||||
the httpd.listenUrl must use https:// as the protocol.
|
||||
Optionally, certificate revocation list file can be used
|
||||
|
||||
@@ -32,14 +32,17 @@ public enum AuthType {
|
||||
HTTP,
|
||||
|
||||
/**
|
||||
* Login relies upon the container/web server security, but also uses LDAP.
|
||||
* Login relies upon the container/web server security.
|
||||
*
|
||||
* <p>Like {@link #HTTP}, the container or web server must populate an HTTP header with a unique
|
||||
* name for the current user. Gerrit will implicitly trust the value of this header to supply the
|
||||
* unique identity.
|
||||
*
|
||||
* <p>In addition to trusting the HTTP headers, Gerrit will obtain basic user registration (name
|
||||
* and email) from LDAP, and some group memberships.
|
||||
* <p>After the authentication is done Gerrit will obtain basic user registration (name and
|
||||
* email), and some group memberships, from LDP. Hence the "_LDAP" suffix in the name of this
|
||||
* authentication type.
|
||||
*
|
||||
* <p>Gerrit will NOT authenticate the user via LDAP.
|
||||
*/
|
||||
HTTP_LDAP,
|
||||
|
||||
@@ -51,9 +54,11 @@ public enum AuthType {
|
||||
* to import the root certificate of the trust chain used to issue the client's certificate into
|
||||
* the <review-site>/etc/keystore.
|
||||
*
|
||||
* <p>After the authentication is done Gerrit will obtain basic user registration (name and email)
|
||||
* from LDAP, and some group memberships. Therefore, the "_LDAP" suffix in the name of this
|
||||
* <p>After the authentication is done Gerrit will obtain basic user registration (name and
|
||||
* email), and some group memberships, from LDP. Hence the "_LDAP" suffix in the name of this
|
||||
* authentication type.
|
||||
*
|
||||
* <p>Gerrit will NOT authenticate the user via LDAP.
|
||||
*/
|
||||
CLIENT_SSL_CERT_LDAP,
|
||||
|
||||
|
||||
Reference in New Issue
Block a user