Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

Sun, 08 Nov 2015 15:03:05 -0800 

On Sun, Nov 08, 2015 at 02:07:23PM +0100, John Obaterspok wrote:
> Hello,
> 
> Anyone got git-http-backend working with freeipa group auhentication and
> would like to share their apache .conf file?
> 
> 
> I've tried this on the IPA server with a dummy git repository setup in
> /opt/gitrepos/test1.git
> gitserver.my.lan is a CNAME for ipaserver.my.lan
> 
> First, "git clone http://gitserver.my.lan/test1.git"; prompts (even though I
> have a ticket) for user+pwd but still fails.
> 
> Any suggestions are welcome!
> 
> -- john
> 
> 
> <VirtualHost gitserver.my.lan:80>
> 
>         DocumentRoot /opt/gitrepos
> 
>         # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
>         # restorecon -R -v /opt/gitrepos
> 
>         SetEnv GIT_PROJECT_ROOT /opt/gitrepos
>         SetEnv GIT_HTTP_EXPORT_ALL
>         SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>         ScriptAlias / /usr/libexec/git-core/git-http-backend/
>         ServerName gitserver.my.lan
> 
>         <Directory "/usr/libexec/git-core">
>                 Options Indexes
>                 AllowOverride None
>                 Require all granted
>         </Directory>
> 
>         <Directory "/opt/gitrepos">
>                 Options Indexes
>                 AllowOverride None
>                 Require all granted
>         </Directory>
> 
>         <LocationMatch "/">
>                 AuthType Kerberos
>                 AuthName "Kerberos Login"
>                 KrbAuthRealm MY.LAN
>                 Krb5KeyTab /etc/httpd/conf/ipa.keytab
>                 KrbMethodNegotiate on
>                 KrbMethodK5Passwd off
>                 KrbSaveCredentials on
>                 KrbVerifyKDC on
>                 KrbServiceName HTTP
> 
>                 AuthLDAPUrl
> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
>                 Require ldap-group cn=ipausers,dc=my,dc=lan
>                 # Allow anyone authenticated users that are ina ipausers
> group to clone
>         </LocationMatch>
> </VirtualHost>
> ~
> ~
> ~
Hi John,

Have a look at this Stack Overflow question:
http://stackoverflow.com/questions/32788405/how-to-force-git-2-5-http-transport-prefer-spnego-over-basic-authentication

Make sure you provide a (fake) username to trigger the SPNEGO
authentication code.  If this does not work please run with
`GIT_CURL_VERBOSE=1' in environment to reveal what is going on
behind the scenes.

Cheers,
Fraser

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to