William Muriithi wrote:
Hello

I have set up gitolite3 and its working fine when I connect to it
through ssh. I am using LDAP (FreeIPA) for authorization.

When I connect through http/https, I am authenticated, but I believe
authorization is not working.  I have not been able to figure how to
work around it..

git clone http://will...@git1.example.com/git/Design.git

But after Apache authenticate me, it passes will...@example.loc not
william to gitolite. When the name will...@example.loc is passed to
the group searching script, it returns null and hence the error below


2013-05-29.14:51:19     12567           access(Design,
will...@example.loc, R, 'any'),-> R any Design will...@example.loc
DENIED by fallthru
2013-05-29.14:51:19     12567           trigger,Writable,access_1,
ACCESS_1,Design,will...@example.loc,R,any,R any Design
will...@example.loc DENIED by fallthru
2013-05-29.14:51:19     12567   die     R any Design
will...@example.loc DENIED by fallthru<<newline>>(or you mis-spelled
the reponame)


The question is, how would I coerce apache or kerberos to pass
gitolite only  section before the  @ character?


With mod_auth_kerb >= 5.4 you can use KrbLocalUserMapping on to strip the realm.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to