On 08/11/15 08:07, John Obaterspok wrote:
Hello,
Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?
I've tried this on the IPA server with a dummy git repository setup in
/opt/gitrepos/test1.git
gitserver.my.lan is a CNAME for ipaserver.my.lan
First, "git clone http://gitserver.my.lan/test1.git" prompts (even though I
have a ticket) for user+pwd but still fails.
Any suggestions are welcome!
-- john
<VirtualHost gitserver.my.lan:80>
DocumentRoot /opt/gitrepos
# semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
# restorecon -R -v /opt/gitrepos
SetEnv GIT_PROJECT_ROOT /opt/gitrepos
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ServerName gitserver.my.lan
<Directory "/usr/libexec/git-core">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<Directory "/opt/gitrepos">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm MY.LAN
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName HTTP
AuthLDAPUrl
ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
Require ldap-group cn=ipausers,dc=my,dc=lan
This should probably be somehting like:
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
Although you should probably create a git specific group, especially if
you want it to be a posix group that can own files (ipausers is not a
posix group and we are actually trying to phase it out)
Also you are not doing LDAP authentication, you only want to do
authorization, and for that you may want to actually use nsswitch based
authorization which can be cached by sssd and not a query out to LDAP
for each connection.
Unfortunately the basic Apache modules do not support system group
authentication directly, so what you may do instead is to have a cron
job that do the following:
getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
And in apache have set the following directives instead of the above two:
AuthGroupFile /my/authorization/file
Require group git-users
HTH,
Simo
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project