my firm is looking at using git and gitolite but does not want to use SSH keys and work like to use LDAP.. Can this be done??
I never seen this done.. everyplace I have this setup with always used SSH keys
Asked
Active
Viewed 4,299 times
1 Answers
4
Yes, you can do it without any issue.
You simply need your Apache to do the authentication part (since gitolite is only an authorization layer), and call gitolite-shell instead of git-http-backend, with REMOTE_USER set by Apache (and used by gitolite-shell).
See a detailed example in "Git with Ldap on Ubuntu with Apache".
The main part of the httpd.conf being:
SetEnv GIT_PROJECT_ROOT @H@/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME @H@
ScriptAlias /hgit/ @H@/sbin/gitolite-shell/
SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Location /hgit>
SSLOptions +StdEnvVars
Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
#AllowOverride All
order allow,deny
Allow from all
AuthName "LDAP authentication for Smart HTTP Git repositories"
AuthType Basic
AuthBasicProvider myldap companyldap
AuthzLDAPAuthoritative Off
Require valid-user
AddHandler cgi-script cgi
</Location>
(@H@ is just a template value, to be replaced by your path)
-
but this looks like everyone will have access to everything.. how does gitolite get used in this setup – JMSAZ2013 Oct 29 '13 at 15:19
-
@JMSAZ2013 no, it doesn't look like everyone will have access to everything. First, you have to authenticate yourself (`Require valid-user`), or you won't have access to any repo. Second `gitolite-shell` is called ("`ScriptAlias /hgit/ @H@/sbin/gitolite-shell/`"), with your id set in the `REMOTE_USER` variable: if gitolite find that you aren't authorized to access a particular repo, it will send back a 403 error (Access denied). – VonC Oct 29 '13 at 15:30