On 08/11/15 08:07, John Obaterspok wrote:

Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?

I've tried this on the IPA server with a dummy git repository setup in
gitserver.my.lan is a CNAME for ipaserver.my.lan

First, "git clone http://gitserver.my.lan/test1.git"; prompts (even though I
have a ticket) for user+pwd but still fails.

Any suggestions are welcome!

-- john

<VirtualHost gitserver.my.lan:80>

         DocumentRoot /opt/gitrepos

         # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
         # restorecon -R -v /opt/gitrepos

         SetEnv GIT_PROJECT_ROOT /opt/gitrepos
         ScriptAlias / /usr/libexec/git-core/git-http-backend/
         ServerName gitserver.my.lan

         <Directory "/usr/libexec/git-core">
                 Options Indexes
                 AllowOverride None
                 Require all granted

         <Directory "/opt/gitrepos">
                 Options Indexes
                 AllowOverride None
                 Require all granted

         <LocationMatch "/">
                 AuthType Kerberos
                 AuthName "Kerberos Login"
                 KrbAuthRealm MY.LAN
                 Krb5KeyTab /etc/httpd/conf/ipa.keytab
                 KrbMethodNegotiate on
                 KrbMethodK5Passwd off
                 KrbSaveCredentials on
                 KrbVerifyKDC on
                 KrbServiceName HTTP

                 Require ldap-group cn=ipausers,dc=my,dc=lan

This should probably be somehting like: cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan

Although you should probably create a git specific group, especially if you want it to be a posix group that can own files (ipausers is not a posix group and we are actually trying to phase it out)

Also you are not doing LDAP authentication, you only want to do authorization, and for that you may want to actually use nsswitch based authorization which can be cached by sssd and not a query out to LDAP for each connection. Unfortunately the basic Apache modules do not support system group authentication directly, so what you may do instead is to have a cron job that do the following:
getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file

And in apache have set the following directives instead of the above two:
AuthGroupFile /my/authorization/file
Require group git-users


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to