Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-11 Thread Fraser Tweedale 
On Wed, Nov 11, 2015 at 10:26:11PM +0100, John Obaterspok wrote:
> Thanks Simo & Fraser,
> 
> Creating a .netrc file on the client computer with according to the SO
> postings with below content made things work perfectly!
> machine gitserver.my.lan  username '' password ''
> machine gitserver username '' password ''
> 
> I would like to use TLS and I've made it work by turning off ssl validation
> in git:
> git config --global http.sslVerify false
> 
> If I would like to use ssl validation, is there some way to use a
> certificate for the CNAME? Seems I can only add certificate (at least from
> the UI) for a valid principal?
> 
> (I'm using freeipa-server 4.2.3 on F23)
> 
> Regards,
> 
> -- john
> 
Hi John, glad to hear of your success.

For a certificate, you can add the (bogus) host and the principal
and then issue a certificate in the normal way.

  $ ipa host-add gitserver.my.lan
  $ ipa service-add HTTP/gitserver.my.lan

I'm not sure if there's a way to add the principal directly, absent
a corresponding host.  If someone knows how please speak up!

Cheers,
Fraser

> 
> 2015-11-08 23:55 GMT+01:00 Simo Sorce :
> 
> > On 08/11/15 08:07, John Obaterspok wrote:
> >
> >> Hello,
> >>
> >> Anyone got git-http-backend working with freeipa group auhentication and
> >> would like to share their apache .conf file?
> >>
> >>
> >> I've tried this on the IPA server with a dummy git repository setup in
> >> /opt/gitrepos/test1.git
> >> gitserver.my.lan is a CNAME for ipaserver.my.lan
> >>
> >> First, "git clone http://gitserver.my.lan/test1.git; prompts (even
> >> though I
> >> have a ticket) for user+pwd but still fails.
> >>
> >> Any suggestions are welcome!
> >>
> >> -- john
> >>
> >>
> >> 
> >>
> >>  DocumentRoot /opt/gitrepos
> >>
> >>  # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
> >>  # restorecon -R -v /opt/gitrepos
> >>
> >>  SetEnv GIT_PROJECT_ROOT /opt/gitrepos
> >>  SetEnv GIT_HTTP_EXPORT_ALL
> >>  SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> >>  ScriptAlias / /usr/libexec/git-core/git-http-backend/
> >>  ServerName gitserver.my.lan
> >>
> >>  
> >>  Options Indexes
> >>  AllowOverride None
> >>  Require all granted
> >>  
> >>
> >>  
> >>  Options Indexes
> >>  AllowOverride None
> >>  Require all granted
> >>  
> >>
> >>  
> >>  AuthType Kerberos
> >>  AuthName "Kerberos Login"
> >>  KrbAuthRealm MY.LAN
> >>  Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >>  KrbMethodNegotiate on
> >>  KrbMethodK5Passwd off
> >>  KrbSaveCredentials on
> >>  KrbVerifyKDC on
> >>  KrbServiceName HTTP
> >>
> >>  AuthLDAPUrl
> >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
> >>  Require ldap-group cn=ipausers,dc=my,dc=lan
> >>
> >
> > This should probably be somehting like:
> > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> >
> > Although you should probably create a git specific group, especially if
> > you want it to be a posix group that can own files (ipausers is not a posix
> > group and we are actually trying to phase it out)
> >
> > Also you are not doing LDAP authentication, you only want to do
> > authorization, and for that you may want to actually use nsswitch based
> > authorization which can be cached by sssd and not a query out to LDAP for
> > each connection.
> > Unfortunately the basic Apache modules do not support system group
> > authentication directly, so what you may do instead is to have a cron job
> > that do the following:
> > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
> >
> > And in apache have set the following directives instead of the above two:
> > AuthGroupFile /my/authorization/file
> > Require group git-users
> >
> > HTH,
> > Simo
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-11 Thread John Obaterspok 
Thanks Simo & Fraser,

Creating a .netrc file on the client computer with according to the SO
postings with below content made things work perfectly!
machine gitserver.my.lan  username '' password ''
machine gitserver username '' password ''

I would like to use TLS and I've made it work by turning off ssl validation
in git:
git config --global http.sslVerify false

If I would like to use ssl validation, is there some way to use a
certificate for the CNAME? Seems I can only add certificate (at least from
the UI) for a valid principal?

(I'm using freeipa-server 4.2.3 on F23)

Regards,

-- john


2015-11-08 23:55 GMT+01:00 Simo Sorce :

> On 08/11/15 08:07, John Obaterspok wrote:
>
>> Hello,
>>
>> Anyone got git-http-backend working with freeipa group auhentication and
>> would like to share their apache .conf file?
>>
>>
>> I've tried this on the IPA server with a dummy git repository setup in
>> /opt/gitrepos/test1.git
>> gitserver.my.lan is a CNAME for ipaserver.my.lan
>>
>> First, "git clone http://gitserver.my.lan/test1.git; prompts (even
>> though I
>> have a ticket) for user+pwd but still fails.
>>
>> Any suggestions are welcome!
>>
>> -- john
>>
>>
>> 
>>
>>  DocumentRoot /opt/gitrepos
>>
>>  # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
>>  # restorecon -R -v /opt/gitrepos
>>
>>  SetEnv GIT_PROJECT_ROOT /opt/gitrepos
>>  SetEnv GIT_HTTP_EXPORT_ALL
>>  SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>>  ScriptAlias / /usr/libexec/git-core/git-http-backend/
>>  ServerName gitserver.my.lan
>>
>>  
>>  Options Indexes
>>  AllowOverride None
>>  Require all granted
>>  
>>
>>  
>>  Options Indexes
>>  AllowOverride None
>>  Require all granted
>>  
>>
>>  
>>  AuthType Kerberos
>>  AuthName "Kerberos Login"
>>  KrbAuthRealm MY.LAN
>>  Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>  KrbMethodNegotiate on
>>  KrbMethodK5Passwd off
>>  KrbSaveCredentials on
>>  KrbVerifyKDC on
>>  KrbServiceName HTTP
>>
>>  AuthLDAPUrl
>> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
>>  Require ldap-group cn=ipausers,dc=my,dc=lan
>>
>
> This should probably be somehting like:
> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
>
> Although you should probably create a git specific group, especially if
> you want it to be a posix group that can own files (ipausers is not a posix
> group and we are actually trying to phase it out)
>
> Also you are not doing LDAP authentication, you only want to do
> authorization, and for that you may want to actually use nsswitch based
> authorization which can be cached by sssd and not a query out to LDAP for
> each connection.
> Unfortunately the basic Apache modules do not support system group
> authentication directly, so what you may do instead is to have a cron job
> that do the following:
> getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
>
> And in apache have set the following directives instead of the above two:
> AuthGroupFile /my/authorization/file
> Require group git-users
>
> HTH,
> Simo
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-08 Thread John Obaterspok 
Hello,

Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?


I've tried this on the IPA server with a dummy git repository setup in
/opt/gitrepos/test1.git
gitserver.my.lan is a CNAME for ipaserver.my.lan

First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I
have a ticket) for user+pwd but still fails.

Any suggestions are welcome!

-- john




DocumentRoot /opt/gitrepos

# semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
# restorecon -R -v /opt/gitrepos

SetEnv GIT_PROJECT_ROOT /opt/gitrepos
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ServerName gitserver.my.lan


Options Indexes
AllowOverride None
Require all granted



Options Indexes
AllowOverride None
Require all granted



AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm MY.LAN
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName HTTP

AuthLDAPUrl
ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
Require ldap-group cn=ipausers,dc=my,dc=lan
# Allow anyone authenticated users that are ina ipausers
group to clone


~
~
~
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-08 Thread Fraser Tweedale 
On Sun, Nov 08, 2015 at 02:07:23PM +0100, John Obaterspok wrote:
> Hello,
> 
> Anyone got git-http-backend working with freeipa group auhentication and
> would like to share their apache .conf file?
> 
> 
> I've tried this on the IPA server with a dummy git repository setup in
> /opt/gitrepos/test1.git
> gitserver.my.lan is a CNAME for ipaserver.my.lan
> 
> First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I
> have a ticket) for user+pwd but still fails.
> 
> Any suggestions are welcome!
> 
> -- john
> 
> 
> 
> 
> DocumentRoot /opt/gitrepos
> 
> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
> # restorecon -R -v /opt/gitrepos
> 
> SetEnv GIT_PROJECT_ROOT /opt/gitrepos
> SetEnv GIT_HTTP_EXPORT_ALL
> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> ScriptAlias / /usr/libexec/git-core/git-http-backend/
> ServerName gitserver.my.lan
> 
> 
> Options Indexes
> AllowOverride None
> Require all granted
> 
> 
> 
> Options Indexes
> AllowOverride None
> Require all granted
> 
> 
> 
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbAuthRealm MY.LAN
> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> KrbSaveCredentials on
> KrbVerifyKDC on
> KrbServiceName HTTP
> 
> AuthLDAPUrl
> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
> Require ldap-group cn=ipausers,dc=my,dc=lan
> # Allow anyone authenticated users that are ina ipausers
> group to clone
> 
> 
> ~
> ~
> ~
Hi John,

Have a look at this Stack Overflow question:
http://stackoverflow.com/questions/32788405/how-to-force-git-2-5-http-transport-prefer-spnego-over-basic-authentication

Make sure you provide a (fake) username to trigger the SPNEGO
authentication code.  If this does not work please run with
`GIT_CURL_VERBOSE=1' in environment to reveal what is going on
behind the scenes.

Cheers,
Fraser

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-08 Thread Simo Sorce 

On 08/11/15 08:07, John Obaterspok wrote:

Hello,

Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?


I've tried this on the IPA server with a dummy git repository setup in
/opt/gitrepos/test1.git
gitserver.my.lan is a CNAME for ipaserver.my.lan

First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I
have a ticket) for user+pwd but still fails.

Any suggestions are welcome!

-- john




 DocumentRoot /opt/gitrepos

 # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
 # restorecon -R -v /opt/gitrepos

 SetEnv GIT_PROJECT_ROOT /opt/gitrepos
 SetEnv GIT_HTTP_EXPORT_ALL
 SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
 ScriptAlias / /usr/libexec/git-core/git-http-backend/
 ServerName gitserver.my.lan

 
 Options Indexes
 AllowOverride None
 Require all granted
 

 
 Options Indexes
 AllowOverride None
 Require all granted
 

 
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbAuthRealm MY.LAN
 Krb5KeyTab /etc/httpd/conf/ipa.keytab
 KrbMethodNegotiate on
 KrbMethodK5Passwd off
 KrbSaveCredentials on
 KrbVerifyKDC on
 KrbServiceName HTTP

 AuthLDAPUrl
ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
 Require ldap-group cn=ipausers,dc=my,dc=lan


This should probably be somehting like: 
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan


Although you should probably create a git specific group, especially if 
you want it to be a posix group that can own files (ipausers is not a 
posix group and we are actually trying to phase it out)


Also you are not doing LDAP authentication, you only want to do 
authorization, and for that you may want to actually use nsswitch based 
authorization which can be cached by sssd and not a query out to LDAP 
for each connection.
Unfortunately the basic Apache modules do not support system group 
authentication directly, so what you may do instead is to have a cron 
job that do the following:

getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file

And in apache have set the following directives instead of the above two:
AuthGroupFile /my/authorization/file
Require group git-users

HTH,
Simo


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project