Thanks Simo & Fraser, Creating a .netrc file on the client computer with according to the SO postings with below content made things work perfectly! machine gitserver.my.lan username '' password '' machine gitserver username '' password ''
I would like to use TLS and I've made it work by turning off ssl validation in git: git config --global http.sslVerify false If I would like to use ssl validation, is there some way to use a certificate for the CNAME? Seems I can only add certificate (at least from the UI) for a valid principal? (I'm using freeipa-server 4.2.3 on F23) Regards, -- john 2015-11-08 23:55 GMT+01:00 Simo Sorce <s...@redhat.com>: > On 08/11/15 08:07, John Obaterspok wrote: > >> Hello, >> >> Anyone got git-http-backend working with freeipa group auhentication and >> would like to share their apache .conf file? >> >> >> I've tried this on the IPA server with a dummy git repository setup in >> /opt/gitrepos/test1.git >> gitserver.my.lan is a CNAME for ipaserver.my.lan >> >> First, "git clone http://gitserver.my.lan/test1.git" prompts (even >> though I >> have a ticket) for user+pwd but still fails. >> >> Any suggestions are welcome! >> >> -- john >> >> >> <VirtualHost gitserver.my.lan:80> >> >> DocumentRoot /opt/gitrepos >> >> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' >> # restorecon -R -v /opt/gitrepos >> >> SetEnv GIT_PROJECT_ROOT /opt/gitrepos >> SetEnv GIT_HTTP_EXPORT_ALL >> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER >> ScriptAlias / /usr/libexec/git-core/git-http-backend/ >> ServerName gitserver.my.lan >> >> <Directory "/usr/libexec/git-core"> >> Options Indexes >> AllowOverride None >> Require all granted >> </Directory> >> >> <Directory "/opt/gitrepos"> >> Options Indexes >> AllowOverride None >> Require all granted >> </Directory> >> >> <LocationMatch "/"> >> AuthType Kerberos >> AuthName "Kerberos Login" >> KrbAuthRealm MY.LAN >> Krb5KeyTab /etc/httpd/conf/ipa.keytab >> KrbMethodNegotiate on >> KrbMethodK5Passwd off >> KrbSaveCredentials on >> KrbVerifyKDC on >> KrbServiceName HTTP >> >> AuthLDAPUrl >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName >> Require ldap-group cn=ipausers,dc=my,dc=lan >> > > This should probably be somehting like: > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > Although you should probably create a git specific group, especially if > you want it to be a posix group that can own files (ipausers is not a posix > group and we are actually trying to phase it out) > > Also you are not doing LDAP authentication, you only want to do > authorization, and for that you may want to actually use nsswitch based > authorization which can be cached by sssd and not a query out to LDAP for > each connection. > Unfortunately the basic Apache modules do not support system group > authentication directly, so what you may do instead is to have a cron job > that do the following: > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file > > And in apache have set the following directives instead of the above two: > AuthGroupFile /my/authorization/file > Require group git-users > > HTH, > Simo > > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project