2

My organization finds that adding 150 users pub keys for one single repo to gitolite as a huge task and administering it would require additional resource. we have around 20 this kind of repos. is there any other option other than adding users ssh keys for authorization. We are using http protocol to access the git repos. Thanks

user2164525
  • 897
  • 1
  • 7
  • 18

1 Answers1

0

"https access" means you can authenticate through LDAP;

That also means you can configure gitolite to query the ldap group of the user:

Gitolite's groups are pretty convenient, but some organizations already have similar (or sufficient) information in their LDAP store.

Gitolite can tap into that information, with a little help.
Write a program which, given a username, queries your LDAP store and returns a space-separated list of groups that the user is a member of.
Then put the full path to this program in an rc variable called GROUPLIST_PGM, like so:

GROUPLIST_PGM           =>  '/home/git/bin/ldap-query-groups',

Now you can use those groupnames in access rules in gitolite, because the user is a member of those groups as well as any normal gitolite groups you may have added him to in the conf file.

Caution: your program must do its own logging if you want the audit trail of "why/how did this user get access to this repo at this time?" to resolve properly. Gitolite does not do any logging of the results of the queries because for people who don't need it that would be a huge waste.

My own script:

#!/bin/bash
export H="/path/to/home"
export D=3
aluser="${1}"
if [[ "${aluser}" == "" ]] ; then exit 0 ; fi
afuser="${H}/gitolite/ldap/${aluser}"
afuserl="${afuser}.log"
if [[ "${aluser}" =~ ^[0-9]+$  && ! -e "${afuser}" ]] ; then
  echo "Potential Company user, checking group..." >> "${afuserl}"
  lport="1234"
  if [[ "${lport#@}" == "${lport}" && ! -e "${afluser}" ]] ; then
    l=$(ldapsearch -H ldaps://ldap.server:1234 -x -D "CN=abcd,OU=Accounts,DC=company" -w xxxx -b "OU=People,DC=company" -s sub -a always -z 1000 "(cn~=${aluser})" "memberof" | grep -i "memberof")
    echo "LDAP='${l}'" >> a
    if [[ "${l#*CN=}" != "${l}" ]] ; then
      names=""
      while read -r line; do
        if [[ "${line#*CN=}" != "${line}" ]] ; then
          aname="${line#*CN=}"
          aname="${aname%%,*}"
          if [[ "${names}" != "" ]] ; then names="${names} " ; fi
          names="${names}${aname}"
        fi
      done <<< "${l}"
      echo "${names}" >> "${afuser}"
    fi
  fi
fi
if [[ -e "${afuser}" ]]; then
  echo "REMOTE_USER_GROUPS='$(cat ${afuser})' for user '${aluser}'" >> "${afuserl}"
  cat ${afuser}
fi

No need for any more ssh key!

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250