當前部署的gerrit實例使用的 HTTP基本身份驗證衬以，即gerrit.config中的auth.type 字段為 HTTP

1届良、修改gerrit.config

[auth]
        type = LDAP
        gitBasicAuthPolicy = LDAP
[ldap]
        server = ldap://ldap.mydomain.com:636
        username = <user_uid>

        accountBase = ou=用戶,dc=byd,dc=com
        accountFullName = displayName
        accountEmailAddress = mail

2翘贮、編輯secure.config

[ldap]
    password = <user_password>

3迂曲、修改修改docker-compose.yml覆享，注釋掉 httpd部分
4佳遂、重啟

# 停止
docker-compose down
# 啟動
docker-compose up -d

5、訪問地址

• HTTP_LDAP
  Exactly like HTTP (above), but additionally Gerrit pre-populates a user’s full name and email address based on information obtained from the user’s account object in LDAP. The user’s group membership is also pulled from LDAP, making any LDAP groups that a user is a member of available as groups in Gerrit. Hence the _LDAP suffix in the name of this authentication type. Gerrit does NOT authenticate the user via LDAP.

  與上面的HTTP完全相同撒顿，但Gerrit根據(jù)從LDAP中的用戶帳戶對象獲得的信息預填充用戶的全名和電子郵件地址丑罪。用戶的組成員關系也從LDAP中提取，使得用戶所屬的任何LDAP組都可以作為Gerrit中的組使用凤壁。因此吩屹，在此身份驗證類型的名稱中使用_LDAP后綴。Gerrit不通過LDAP認證用戶拧抖。

• CLIENT_SSL_CERT_LDAP
  This authentication type is actually kind of SSO. Gerrit will configure Jetty’s SSL channel to request the client’s SSL certificate. For this authentication to work a Gerrit administrator has to import the root certificate of the trust chain used to issue the client’s certificate into the <review-site>/etc/keystore. After the authentication is done Gerrit will obtain basic user registration (name and email) from LDAP, and some group memberships. Hence the _LDAP suffix in the name of this authentication type. Gerrit does NOT authenticate the user via LDAP. This authentication type can only be used under hosted daemon mode, and the httpd.listenUrl must use https:// as the protocol. Optionally, certificate revocation list file can be used at <review-site>/etc/crl.pem. For details, see httpd.sslCrl.

• LDAP
  Gerrit prompts the user to enter a username and a password, which it then verifies by performing a simple bind against the configured ldap.server. In this configuration the web server is not involved in the user authentication process.

  The actual username used in the LDAP simple bind request is the account’s full DN, which is discovered by first querying the directory using either an anonymous request, or the configured ldap.username identity. Gerrit can also use kerberos if ldap.authentication is set to GSSAPI.

  If auth.gitBasicAuthPolicy is set to HTTP, the randomly generated HTTP password is used for authentication. On the other hand, if auth.gitBasicAuthPolicy is set to HTTP_LDAP, the password in the request is first checked against the HTTP password and, if it does not match, it is then validated against the LDAP password. Service users that are internal-only are authenticated by their HTTP passwords.

  Gerrit提示用戶輸入用戶名和密碼煤搜，然后通過對配置的ldap.server執(zhí)行簡單綁定來驗證。在這種配置中唧席，web服務器不參與用戶身份驗證過程擦盾。

  LDAP簡單綁定請求中使用的實際用戶名是帳戶的完整DN，這是通過使用匿名請求或配置的LDAP首先查詢目錄來發(fā)現(xiàn)的淌哟。用戶名的身份迹卢。Gerrit也可以在ldap中使用kerberos。鑒權設置為GSSAPI徒仓。

  如果身份驗證腐碱。giitbasicauthpolicy設置為HTTP時，使用隨機生成的HTTP密碼進行鑒權蓬衡。另一方面喻杈，它是正確的彤枢。giitbasicauthpolicy設置為HTTP_LDAP，則首先根據(jù)HTTP密碼檢查請求中的密碼筒饰，如果不匹配缴啡，則根據(jù)LDAP密碼進行驗證。僅限內(nèi)部的業(yè)務用戶使用HTTP密碼進行認證瓷们。

• LDAP_BIND
  Gerrit prompts the user to enter a username and a password, which it then verifies by performing a simple bind against the configured ldap.server. In this configuration the web server is not involved in the user authentication process.

  Unlike LDAP above, the username used to perform the LDAP simple bind request is the exact string supplied in the dialog by the user. The configured ldap.username identity is not used to obtain account information.

參考鏈接：
https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.5/config-gerrit.html#ldap