Merge branch 'stable-2.6' into stable-2.7

* stable-2.6:
  Expand capabilities of ldap.groupMemberPattern

3 files changed, 9 insertions, 15 deletions

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 3591c7793f..daafcf167b 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -1842,8 +1842,8 @@ corresponding attribute (in this case, `fooBarAttribute`) as read
 from the user's account object matched under `ldap.accountBase`.
 Attributes such as `${dn}` or `${uidNumber}` may be useful.
 +
-Default is `(memberUid=${username})` for RFC 2307,
-and unset (disabled) for Active Directory.
+Default is `(|(memberUid=${username})(gidNumber=${gidNumber}))` for
+RFC 2307, and unset (disabled) for Active Directory.
 
 [[ldap.groupName]]ldap.groupName::
 +
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
index 0151dde40f..7d0ad24325 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
@@ -197,13 +197,11 @@ import javax.security.auth.login.LoginException;
     if (!schema.groupMemberQueryList.isEmpty()) {
       final HashMap<String, String> params = new HashMap<String, String>();
 
-      if (schema.groupNeedsAccount) {
-        if (account == null) {
-          account = findAccount(schema, ctx, username);
-        }
-        for (String name : schema.groupMemberQueryList.get(0).getParameters()) {
-          params.put(name, account.get(name));
-        }
+      if (account == null) {
+        account = findAccount(schema, ctx, username);
+      }
+      for (String name : schema.groupMemberQueryList.get(0).getParameters()) {
+        params.put(name, account.get(name));
       }
 
       params.put(LdapRealm.USERNAME, username);
@@ -286,7 +284,6 @@ import javax.security.auth.login.LoginException;
     final String accountMemberField;
     final List<LdapQuery> accountQueryList;
 
-    boolean groupNeedsAccount;
     final List<String> groupBases;
     final SearchScope groupScope;
     final ParameterizedString groupPattern;
@@ -321,10 +318,7 @@ import javax.security.auth.login.LoginException;
           }
 
           for (final String name : groupMemberQuery.getParameters()) {
-            if (!LdapRealm.USERNAME.equals(name)) {
-              groupNeedsAccount = true;
-              accountAtts.add(name);
-            }
+            accountAtts.add(name);
           }
 
           groupMemberQueryList.add(groupMemberQuery);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapType.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapType.java
index db5baebfc0..3c1b0d22b3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapType.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapType.java
@@ -57,7 +57,7 @@ abstract class LdapType {
 
     @Override
     String groupMemberPattern() {
-      return "(memberUid=${username})";
+      return "(|(memberUid=${username})(gidNumber=${gidNumber}))";
     }
 
     @Override