Re: [Freeipa-users] Suppressing the domain section after authentication
Rob, >> >> The question is, how would I coerce apache or kerberos to pass >> gitolite only section before the @ character? >> > > With mod_auth_kerb >= 5.4 you can use KrbLocalUserMapping on to strip the realm. > > rob Thanks a lot, that did it. I added KrbLocalUserMapping On And it worked perfectly. Thanks again William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Suppressing the domain section after authentication
On Wed, May 29, 2013 at 10:55 PM, William Muriithi < william.murii...@gmail.com> wrote: > Hello > > I have set up gitolite3 and its working fine when I connect to it > through ssh. I am using LDAP (FreeIPA) for authorization. > > When I connect through http/https, I am authenticated, but I believe > authorization is not working. I have not been able to figure how to > work around it.. > > git clone http://will...@git1.example.com/git/Design.git > > But after Apache authenticate me, it passes will...@example.loc not > william to gitolite. When the name will...@example.loc is passed to > the group searching script, it returns null and hence the error below > > I could not find it in the docs, but according to http://serverfault.com/questions/35363/apache-mod-auth-kerb-and-ldap-user-groupsyou can do that with KrbLocalUserMapping On in your apache config. I have not tested it ;-) -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Suppressing the domain section after authentication
William Muriithi wrote: Hello I have set up gitolite3 and its working fine when I connect to it through ssh. I am using LDAP (FreeIPA) for authorization. When I connect through http/https, I am authenticated, but I believe authorization is not working. I have not been able to figure how to work around it.. git clone http://will...@git1.example.com/git/Design.git But after Apache authenticate me, it passes will...@example.loc not william to gitolite. When the name will...@example.loc is passed to the group searching script, it returns null and hence the error below 2013-05-29.14:51:19 12567 access(Design, will...@example.loc, R, 'any'),-> R any Design will...@example.loc DENIED by fallthru 2013-05-29.14:51:19 12567 trigger,Writable,access_1, ACCESS_1,Design,will...@example.loc,R,any,R any Design will...@example.loc DENIED by fallthru 2013-05-29.14:51:19 12567 die R any Design will...@example.loc DENIED by fallthru<>(or you mis-spelled the reponame) The question is, how would I coerce apache or kerberos to pass gitolite only section before the @ character? With mod_auth_kerb >= 5.4 you can use KrbLocalUserMapping on to strip the realm. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users