Hi, I think this is a bit on the advanced side of things we usually answer on this list, so you could try asking on the git development list (described here <http://git-scm.com/community>).
On Friday, July 6, 2012 2:11:17 PM UTC+2, Ilya wrote: > > Hi all, > > following enviroment: > > stock debian squeeze + apache2 + gitweb. > Apache handles user authentication over ldap. > > > the apache git-related config is: > > > --- > (taken from the > http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html) > > [...] > SetEnv GIT_PROJECT_ROOT /mnt/system/git > > AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/ > [0-9a-f]{38})$ > /mnt/system/git/$1 > AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ > /mnt/system/git/$1 > ScriptAliasMatch \ > "(?x)^/git/(.*/(HEAD | \ > info/refs | \ > objects/info/[^/]+ | \ > git-(upload|receive)-pack))$" \ > /usr/lib/git-core/git-http-backend/$1 > ScriptAlias /git/ /usr/lib/cgi-bin/gitweb.cgi/ > > [...] > <Location "/git/repo1.git"> > # read access > <Limit GET> > require ldap-group repo.writers > require ldap-group repo.readers > </Limit> > > # write access > <Limit GET PUT POST DELETE PROPPATCH MKCOL COPY MOVE > LOCK UNLOCK> > require ldap-group repo.writers > </Limit> > > </Location> > ---------- > > The ldap group "repo.writers" has "repo.writer" user in it. > The ldap group "repo.readers" has "repo.reader" user in it. > > Using the "repo.writer" User, i can successfully clone the repo / push > into the repo. > The appropriate apache-log entries are: > > ---------------------------------------------------- > 10.13.99.59 - - [06/Jul/2012:13:28:57 +0200] "GET > /git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 401 2427 > "-" "git/1.7.2.5" > 10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "GET > /git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 200 728 > "-" "git/1.7.2.5" > 10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "POST > /git/repo1.git/git-receive-pack HTTP/1.1" 200 754 "-" "git/1.7.2.5" > ---------------------------------------------------- > > But if i try to use the "repo.reader" account to CLONE the repo, then it > fails: > > output@shell: > ---------------------------------------------------- > ilya@brick:/tmp $ git clone https://repo.reader@git-host/git/repo1.git > Cloning into repo1... > Password: > error: RPC failed; result=22, HTTP code = 401 > fatal: The remote end hung up unexpectedly > ilya@brick: > ---------------------------------------------------- > > > output@apache-logs > ---------------------------------------------------- > 10.13.99.59 - - [06/Jul/2012:13:28:13 +0200] "GET > /git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 401 2427 > "-" "git/1.7.2.5" > 10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "GET > /git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 200 935 "-" > "git/1.7.2.5" > 10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "POST > /git/repo1.git/git-upload-pack HTTP/1.1" 401 894 "-" "git/1.7.2.5" > ---------------------------------------------------- > > The reason why the cloning fails is pretty clear > > 1. the repo.reader is trying to "POST /git/repo1.git/git-upload-pack", > 2. accordingly the rule "<Limit POST>" for "writers" is matching, > 3. apache makes a lookup into LDAP and OF COURSE cannot fint the > "repo.reader"-User in the group "repo.writers" > 4. as a result the 401 is replied by apache. > > When i put the "repo.reader" user into the "repo.writers"-group, then, > of course, he can clone the repo. > But then he also can push into the repo... > > > The question is now - why, damn, the git client is trying to post > something on CLONE!??! > > And the second question - how do i solve it? > > > I need the authenticated read / authenticated writes separation. > > > Thanks in advance! > -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To view this discussion on the web visit https://groups.google.com/d/msg/git-users/-/Bp0ELv_93j4J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/git-users?hl=en.
