After initial authentication via loginServlet the request contains a http request header packed with the mail address of the logged in user. Can GIT read header and check against LDAP for authentication
Asked
Active
Viewed 87 times
1 Answers
1
Git itself, no. It has no concept of authentication (beside the author's email and signed-commit).
But an Apache server can authenticate against an LDAP, and then call git.
Or your server can call a script like gitolite (an authorization layer) does (with ipa_groups.pl).
-
My LDAP authentication with git is working. In my scenario i want http request header which has a user id to be checked against ldap which is configured in apache. Is that possible in apache – user2164525 Sep 27 '13 at 07:58
-
@user2164525 It works for authentication purpose only (not authorization)... even though I have difficulties with ldap aliases (http://stackoverflow.com/q/18874062/6309), but if you authenticate only against one LDAP, it works. – VonC Sep 27 '13 at 08:00
-
@user2164525: No. It's your ldap authentication with whichever transport git is using. Apache can do the authentication part and gitolite can do the authorization part ([gitolite documentation explains the difference between the two](http://gitolite.com/gitolite/auth.html)). – Jan Hudec Sep 27 '13 at 08:02
-
currently my git with ldap authentication and authorization is working perfectly. The requirement is before my request does an ldap authentication, it has be authenticated with loginservlet url, which provides a http request header packed with the user mail id. Now this mailid has to be authenticated with ldap. So am worried about how http request header packed with the user mail id can be checked with ldap after which it should go for the gitolite authorization – user2164525 Sep 27 '13 at 09:45
-
git has nothing to do with ldap authentication. When you say "ldap authentication is working perfectly", what tool are you using for said authentication? An apache server? A Tomcat? A Jetty? An Apache server can make several request to an ldap, one with the user id, one with the user email. – VonC Sep 27 '13 at 10:27
-
I am using Apache which does the authentication of user mail id.An autenticated id and email address will be present in http request header, but no idea how to configure in apache in such a way that apache has to read the user email id from http request header. – user2164525 Sep 30 '13 at 07:56
-
@user2164525 do you mean: "how to configure Apache in order to call gitolite with the user's email instead of his/her id"? – VonC Sep 30 '13 at 08:02
-
My current setup is Git accessible over http with ldap authentication and authorization using gitolite. My organization wants GIT to be accessed with much more secured authentication. For example they have a login servlet url which has to be authenticated with a user mail which in turn redirects the authenticated mailid to the http request header. Now the task of apache is to read this user mail from the http header and validate against the ldap which i have configured in apache. – user2164525 Sep 30 '13 at 08:39
-
@user2164525 so you need to modify your ldap search query to use the mailid, instead of the user id, but you don't know how to use said mail id from the http header. Got it. No idea though. – VonC Sep 30 '13 at 08:42