2

I'm running a SVN repo server with ldap/file auth. This let me filter which users will access each of the repositories in the server.

Now I'm planning to migrate to GIT and I've already get GIT running through Apache/LDAP, but I cannot manage to get users filtered as I have on SVN.

Is there a way to achieve this?

Thanks

F3RD3F
  • 2,309
  • 3
  • 22
  • 26

1 Answers1

1

You can replicate the same authentication mechnism (LDAP auth, declared in your httpd.conf) if you are calling the smart http mechanism behind, as described in "Setting up GIT with Apache Smart HTTP/S and LDAP".

Note that this is different from the authorization part, as explained in Gitolite: authorization vs. authentication, and explained in "Using LDAP as auth method to manage git repositories".

I prefer to use LDAP aliases in order to reference that authentication server multiple times:

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword secret
  AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

Here is an example of a config (with SSL in place) using LDAP:

<VirtualHost itsvcprdgit.world.company:8453>
    ServerName itsvcprdgit.world.company
    ServerAlias itsvcprdgit

    SSLCertificateFile "/home/auser/compileEverything/apache/itsvcprdgit.world.company.crt"
    SSLCertificateKeyFile "/home/auser/compileEverything/apache/itsvcprdgit.world.company.key"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SetEnv GIT_PROJECT_ROOT /home/auser/compileEverything/repositories
    SetEnv GIT_HTTP_EXPORT_ALL

    ScriptAlias /mygit/ /path/to/git-http-backend/
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Location /mygit>
        SSLOptions +StdEnvVars
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        #AllowOverride All
        order allow,deny
        Allow from all

        AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
        AuthType Basic
        AuthBasicProvider myldap
        AuthzLDAPAuthoritative On

        Require valid-user
        AddHandler cgi-script cgi
    </Location>
    BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog "/home/auser/compileEverything/apache/githttp_ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ErrorLog "/home/auser/compileEverything/apache/githttp_error_log"
    TransferLog "/home
</VirtualHost>
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I have an example of such an LDAP-based authentication in my project: https://github.com/VonC/compileEverything/blob/master/apache/env.conf (but it is linked to gitolite, which in turns calls the cgi script '`git-http-backend`'. You could simply replace the gitolite call by the `git-http-backend` and it should work. – VonC Feb 29 '12 at 14:04
  • Maybe I'm not understanding your conf file, but how would it let me handle different git repositories under "/git" for different users? – F3RD3F Feb 29 '12 at 15:21
  • @theopulus: it will handle different repos, because `GIT_PROJECT_ROOT` tells the cgi script where to find them. Different users? Git doesn't care, it doesn't has any authentication/authorization mechanism in it, as detailed in http://stackoverflow.com/a/5685757/6309. This `httpd.conf` would only serves as a "checkpoint", giving access to https://itsvcprdgit/mygit/... to LDAP-based authenticated users. Once this https access is granted, the request is passed along to Git, which promptly ignore the user name. Only an authorization mechanism like Gitolite would use that information (username). – VonC Feb 29 '12 at 15:36