On Sun, Nov 08, 2015 at 02:07:23PM +0100, John Obaterspok wrote: > Hello, > > Anyone got git-http-backend working with freeipa group auhentication and > would like to share their apache .conf file? > > > I've tried this on the IPA server with a dummy git repository setup in > /opt/gitrepos/test1.git > gitserver.my.lan is a CNAME for ipaserver.my.lan > > First, "git clone http://gitserver.my.lan/test1.git" prompts (even though I > have a ticket) for user+pwd but still fails. > > Any suggestions are welcome! > > -- john > > > <VirtualHost gitserver.my.lan:80> > > DocumentRoot /opt/gitrepos > > # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' > # restorecon -R -v /opt/gitrepos > > SetEnv GIT_PROJECT_ROOT /opt/gitrepos > SetEnv GIT_HTTP_EXPORT_ALL > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > ScriptAlias / /usr/libexec/git-core/git-http-backend/ > ServerName gitserver.my.lan > > <Directory "/usr/libexec/git-core"> > Options Indexes > AllowOverride None > Require all granted > </Directory> > > <Directory "/opt/gitrepos"> > Options Indexes > AllowOverride None > Require all granted > </Directory> > > <LocationMatch "/"> > AuthType Kerberos > AuthName "Kerberos Login" > KrbAuthRealm MY.LAN > Krb5KeyTab /etc/httpd/conf/ipa.keytab > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbSaveCredentials on > KrbVerifyKDC on > KrbServiceName HTTP > > AuthLDAPUrl > ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName > Require ldap-group cn=ipausers,dc=my,dc=lan > # Allow anyone authenticated users that are ina ipausers > group to clone > </LocationMatch> > </VirtualHost> > ~ > ~ > ~ Hi John,
Have a look at this Stack Overflow question: http://stackoverflow.com/questions/32788405/how-to-force-git-2-5-http-transport-prefer-spnego-over-basic-authentication Make sure you provide a (fake) username to trigger the SPNEGO authentication code. If this does not work please run with `GIT_CURL_VERBOSE=1' in environment to reveal what is going on behind the scenes. Cheers, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project