2

I'm running a SVN repo server with ldap/file auth. This let me filter which users will access each of the repositories in the server.

Now I'm planning to migrate to GIT and I've already get GIT running through Apache/LDAP, but I cannot manage to get users filtered as I have on SVN.

Is there a way to achieve this?

Thanks

Improve this question

1 Answer 1

Reset to default
1

You can replicate the same authentication mechnism (LDAP auth, declared in your httpd.conf) if you are calling the smart http mechanism behind, as described in "Setting up GIT with Apache Smart HTTP/S and LDAP".

Note that this is different from the authorization part, as explained in Gitolite: authorization vs. authentication, and explained in "Using LDAP as auth method to manage git repositories".

I prefer to use LDAP aliases in order to reference that authentication server multiple times:

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword secret
  AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

Here is an example of a config (with SSL in place) using LDAP:

<VirtualHost itsvcprdgit.world.company:8453>
    ServerName itsvcprdgit.world.company
    ServerAlias itsvcprdgit

    SSLCertificateFile "/home/auser/compileEverything/apache/itsvcprdgit.world.company.crt"
    SSLCertificateKeyFile "/home/auser/compileEverything/apache/itsvcprdgit.world.company.key"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SetEnv GIT_PROJECT_ROOT /home/auser/compileEverything/repositories
    SetEnv GIT_HTTP_EXPORT_ALL

    ScriptAlias /mygit/ /path/to/git-http-backend/
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Location /mygit>
        SSLOptions +StdEnvVars
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        #AllowOverride All
        order allow,deny
        Allow from all

        AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
        AuthType Basic
        AuthBasicProvider myldap
        AuthzLDAPAuthoritative On

        Require valid-user
        AddHandler cgi-script cgi
    </Location>
    BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog "/home/auser/compileEverything/apache/githttp_ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ErrorLog "/home/auser/compileEverything/apache/githttp_error_log"
    TransferLog "/home
</VirtualHost>
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I have an example of such an LDAP-based authentication in my project: github.com/VonC/compileEverything/blob/master/apache/env.conf (but it is linked to gitolite, which in turns calls the cgi script 'git-http-backend'. You could simply replace the gitolite call by the git-http-backend and it should work.
Maybe I'm not understanding your conf file, but how would it let me handle different git repositories under "/git" for different users?
@theopulus: it will handle different repos, because GIT_PROJECT_ROOT tells the cgi script where to find them. Different users? Git doesn't care, it doesn't has any authentication/authorization mechanism in it, as detailed in stackoverflow.com/a/5685757/6309. This httpd.conf would only serves as a "checkpoint", giving access to itsvcprdgit/mygit... to LDAP-based authenticated users. Once this https access is granted, the request is passed along to Git, which promptly ignore the user name. Only an authorization mechanism like Gitolite would use that information (username).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.