From 750903ff9425111d512e3dc15451904969a102d3 Mon Sep 17 00:00:00 2001
From: Alon Bar-Lev <alon.barlev@gmail.com>
Date: Sat, 21 Sep 2019 21:19:44 +0300
Subject: [PATCH] LDAP: use 'none' authentication for initial connection

JDK 11 changes the method of anonymous bind, explicit 'none' authentication
enables connection.

Bug: Issue 11567
Change-Id: I7e866e26106c4ea84dd2427eef7cc868f1bc6896
---
 Documentation/config-gerrit.txt                     | 8 ++++++++
 java/com/google/gerrit/server/auth/ldap/Helper.java | 7 ++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index d77a21ddb5..8171eebab8 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -3336,6 +3336,14 @@ On Windows servers the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet
 must have the DWORD value `allowtgtsessionkey` set to 1 and the account must not
 have local administrator privileges.
 
+[[ldap.initialAuthentication]]ldap.initialAuthentication::
++
+The name of authentication scheme to use when establishing initial connection
+before switching into the authentication scheme specified in `authentication`
+setting.
++
+By default, `none`.
+
 [[ldap.useConnectionPooling]]ldap.useConnectionPooling::
 +
 _(Optional)_ Enable the LDAP connection pooling or not.
diff --git a/java/com/google/gerrit/server/auth/ldap/Helper.java b/java/com/google/gerrit/server/auth/ldap/Helper.java
index bafee04648..2a78926e74 100644
--- a/java/com/google/gerrit/server/auth/ldap/Helper.java
+++ b/java/com/google/gerrit/server/auth/ldap/Helper.java
@@ -75,6 +75,7 @@ class Helper {
   private final boolean startTls;
   private final boolean supportAnonymous;
   private final boolean sslVerify;
+  private final String initialAuthentication;
   private final String authentication;
   private volatile LdapSchema ldapSchema;
   private final String readTimeoutMillis;
@@ -95,6 +96,7 @@ class Helper {
     this.supportAnonymous = config.getBoolean("ldap", "supportAnonymous", true);
     this.sslVerify = config.getBoolean("ldap", "sslverify", true);
     this.groupsVisibleToAll = config.getBoolean("ldap", "groupsVisibleToAll", false);
+    this.initialAuthentication = LdapRealm.optional(config, "initialAuthentication", "none");
     this.authentication = LdapRealm.optional(config, "authentication", "simple");
     String readTimeout = LdapRealm.optional(config, "readTimeout");
     if (readTimeout != null) {
@@ -167,13 +169,15 @@ class Helper {
 
   DirContext open() throws IOException, NamingException, LoginException {
     final Properties env = createContextProperties();
-    env.put(Context.SECURITY_AUTHENTICATION, authentication);
+    env.put(Context.SECURITY_AUTHENTICATION, initialAuthentication);
     env.put(Context.REFERRAL, referral);
     if ("GSSAPI".equals(authentication)) {
+      env.put(Context.SECURITY_AUTHENTICATION, authentication);
       return kerberosOpen(env);
     }
 
     if (!supportAnonymous && username != null) {
+      env.put(Context.SECURITY_AUTHENTICATION, authentication);
       env.put(Context.SECURITY_PRINCIPAL, username);
       env.put(Context.SECURITY_CREDENTIALS, password);
     }
@@ -181,6 +185,7 @@ class Helper {
     LdapContext ctx = createContext(env);
 
     if (supportAnonymous && username != null) {
+      ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, authentication);
       ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, username);
       ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
       ctx.reconnect(null);
-- 
2.21.0