On Wed, Nov 11, 2015 at 10:26:11PM +0100, John Obaterspok wrote: > Thanks Simo & Fraser, > > Creating a .netrc file on the client computer with according to the SO > postings with below content made things work perfectly! > machine gitserver.my.lan username '' password '' > machine gitserver username '' password '' > > I would like to use TLS and I've made it work by turning off ssl validation > in git: > git config --global http.sslVerify false > > If I would like to use ssl validation, is there some way to use a > certificate for the CNAME? Seems I can only add certificate (at least from > the UI) for a valid principal? > > (I'm using freeipa-server 4.2.3 on F23) > > Regards, > > -- john > Hi John, glad to hear of your success.
For a certificate, you can add the (bogus) host and the principal and then issue a certificate in the normal way. $ ipa host-add gitserver.my.lan $ ipa service-add HTTP/gitserver.my.lan I'm not sure if there's a way to add the principal directly, absent a corresponding host. If someone knows how please speak up! Cheers, Fraser > > 2015-11-08 23:55 GMT+01:00 Simo Sorce <s...@redhat.com>: > > > On 08/11/15 08:07, John Obaterspok wrote: > > > >> Hello, > >> > >> Anyone got git-http-backend working with freeipa group auhentication and > >> would like to share their apache .conf file? > >> > >> > >> I've tried this on the IPA server with a dummy git repository setup in > >> /opt/gitrepos/test1.git > >> gitserver.my.lan is a CNAME for ipaserver.my.lan > >> > >> First, "git clone http://gitserver.my.lan/test1.git" prompts (even > >> though I > >> have a ticket) for user+pwd but still fails. > >> > >> Any suggestions are welcome! > >> > >> -- john > >> > >> > >> <VirtualHost gitserver.my.lan:80> > >> > >> DocumentRoot /opt/gitrepos > >> > >> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' > >> # restorecon -R -v /opt/gitrepos > >> > >> SetEnv GIT_PROJECT_ROOT /opt/gitrepos > >> SetEnv GIT_HTTP_EXPORT_ALL > >> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > >> ScriptAlias / /usr/libexec/git-core/git-http-backend/ > >> ServerName gitserver.my.lan > >> > >> <Directory "/usr/libexec/git-core"> > >> Options Indexes > >> AllowOverride None > >> Require all granted > >> </Directory> > >> > >> <Directory "/opt/gitrepos"> > >> Options Indexes > >> AllowOverride None > >> Require all granted > >> </Directory> > >> > >> <LocationMatch "/"> > >> AuthType Kerberos > >> AuthName "Kerberos Login" > >> KrbAuthRealm MY.LAN > >> Krb5KeyTab /etc/httpd/conf/ipa.keytab > >> KrbMethodNegotiate on > >> KrbMethodK5Passwd off > >> KrbSaveCredentials on > >> KrbVerifyKDC on > >> KrbServiceName HTTP > >> > >> AuthLDAPUrl > >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName > >> Require ldap-group cn=ipausers,dc=my,dc=lan > >> > > > > This should probably be somehting like: > > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > > > Although you should probably create a git specific group, especially if > > you want it to be a posix group that can own files (ipausers is not a posix > > group and we are actually trying to phase it out) > > > > Also you are not doing LDAP authentication, you only want to do > > authorization, and for that you may want to actually use nsswitch based > > authorization which can be cached by sssd and not a query out to LDAP for > > each connection. > > Unfortunately the basic Apache modules do not support system group > > authentication directly, so what you may do instead is to have a cron job > > that do the following: > > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file > > > > And in apache have set the following directives instead of the above two: > > AuthGroupFile /my/authorization/file > > Require group git-users > > > > HTH, > > Simo > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project