Using LDAP as auth method to manage git repositories_问答_开发者

Using LDAP as auth method to manage git repositories

开发者 https://www.devze.com 2023-04-11 17:19 出处：网络

Does anyone have experience using LDAP as auth method to manage Git Repositories, my boss 开发者_StackOverflowprefers using LDAP than other tools. Any suggestion will be help! More detailed informatio

相关专题：git openldap

You can easily add LDAP authentication to an Apache Httpd server.
And you can easily add a smart http cgi script 'git-http-backend' (packaged with git)

That means you can push to an https address, provided you did enter your LDAP credentials first. You are authorized to access the Apache pages, but the authentication isn't used at all.
See "Difference between mod_authn_ldap and mod_authz_ldap".

However:

that has no relation with the way you sign your commit
that doesn't take care of the authorization side on Git (if you are authenticated, you have access to the git repos), as mentioned in Distributed Version Control Systems and the Enterprise - a Good mix?.

The only way to actually use the authentication, and combine with a Git authorization access is to use Gitolite.

See for instance "Making repositories available to both ssh and http mode clients".

I have setup gitolite with (multiple) LDAP authentication, making the authentication step in the Apache config file, and then calling gitolite with the identified user as a parameter:

First I declare LDAP aliases:

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword secret
  AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

<AuthnProviderAlias ldap companyldap>
  AuthLDAPBindDN "@LDAP_BINDDN@"
  AuthLDAPBindPassword @LDAP_PASSWORD@
  AuthLDAPURL @LDAP_URL@
</AuthnProviderAlias>

(The '@xx@' are templates to be replace by test or production values)

Then I use those aliases in a VirtualHost in which I call gitolite (if the authentication succeeds)

# GitHttp on @PORT_HTTP_HGIT@ (extract)
Listen @PORT_HTTP_HGIT@
<VirtualHost @FQN@:@PORT_HTTP_HGIT@>
    ServerName @FQN@
    ServerAlias @HOSTNAME@
    SetEnv GIT_PROJECT_ROOT @H@/repositories
    SetEnv GIT_HTTP_EXPORT_ALL
    SetEnv GITOLITE_HTTP_HOME @H@
    ScriptAlias /hgit/ @H@/sbin/gitolite-shell/  # <=== will call gitolite
    SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
    <Location /hgit>
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        #AllowOverride All
        order allow,deny
        Allow from all

        AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
        AuthType Basic
        # Authentication against one ldap, then a second
        AuthBasicProvider myldap companyldap
        AuthzLDAPAuthoritative Off
        Require valid-user
        AddHandler cgi-script cgi
    </Location>
</VirtualHost>

Since you mention OpenLDAP, I'm assuming you want to make this work on a Unix/Linux environment.

Git itself doesn't do authentication afaik. You need to setup ldap to manage the service used to access the git repository. For example if you use SSH then configure your SSH daemon to authenticate against ldap.

How to configure that exactly depends on the exact setup you're using. If you need help with that I recommend posting a detailed question over on serverfault.com.

You may also find this related question interesting.