使用LDAP作为auth方法来管理git存储库 [英] Using LDAP as auth method to manage git repositories

问题描述

有人有使用LDAP作为auth方法来管理Git仓库的经验，我的老板比其他工具更喜欢使用LDAP。任何建议将是帮助！更详细的信息将非常受欢迎。 您可以轻松地将LDAP身份验证添加到Apache Httpd服务器。 $ b您可以轻松添加智能http cgi脚本'git -http-backend'（与git打包在一起）

这意味着你可以推送到https地址，前提是你首先输入了LDAP凭证。您被授权访问Apache页面，但根本不使用认证。

请参阅 mod_authn_ldap和mod_authz_ldap之间的区别。

然而：

• 与您签署提交的方式没有关系


• 不关心Git上的授权方（if你被认证了，你可以访问git仓库），如分布式版本控制系统和企业 - 一个好的组合？。 b
  实际使用身份验证的方式，并结合Git授权访问权限是使用 Gitolite 即可。
  
  
  

  请参阅使存储库可用于ssh和http模式客户端。

  
  
  

  我使用（多个）LDAP身份验证，在Apache配置文件中进行身份验证步骤，然后使用标识的用户作为参数调用gitolite：

  首先我声明
  

   < AuthnProviderAlias ldap myldap> 
   AuthLDAPBindDN cn = Manager，dc = example，dc = com 
   AuthLDAPBindPassword secret 
   AuthLDAPURL ldap：// localhost：@ PORT_LDAP_TEST @ / dc = example，dc = com？uid？sub？（ objectClass = *）
  < / AuthnProviderAlias> 
   
  < AuthnProviderAlias ldap companyldap> 
   AuthLDAPBindDN@ LDAP_BINDDN @
   AuthLDAPBindPassword @ LDAP_PASSWORD @ 
   AuthLDAPURL @ LDAP_URL @ 
  < / AuthnProviderAlias> 
    

  （ @xx @ '是模板将被测试或生产值替换）
  
  

  然后我在 VirtualHost 中使用这些别名，其中我称之为 gitolite （如果认证成功）
  
  $ pre $ G $ @ $ @ b Listen @ PORT_HTTP_HGIT @
  < VirtualHost @FQN @：@ PORT_HTTP_HGIT @>
  ServerName @ FQN @
  ServerAlias @ HOSTNAME @
  SetEnv GIT_PROJECT_ROOT @ H @ /存储库
  SetEnv GIT_HTTP_EXPORT_ALL
  SetEnv GITOLITE_HTTP_HOME @ H @
  ScriptAlias / hgit / @ H @ / sbin / gitolite-shell /＃< ===将调用gitolite
  SetEnv GIT_HTTP_BACKEND@ H @ / usr / local / apps / git / libexec / git-core / git-http-backend
  < Location / hgit>
  选项ExecCGI + FollowSymLinks + SymLinksIfOwnerMatch
  #AllowOverride全部
  命令允许，拒绝
  允许所有
  
  AuthNameITSVC智能HTTP Git存储库的LDAP身份验证
  AuthType Basic
  ＃对一个ldap进行身份验证，然后进行一次
  验证AuthBasicProvider myldap companyldap
  AuthzLDAPAuthoritative Off
  需要有效用户
  AddHandler cgi-script cgi
  < / Location>
  < / VirtualHost>
  

  
  

  Does anyone have experience using LDAP as auth method to manage Git Repositories, my boss prefers using LDAP than other tools. Any suggestion will be help! More detailed information will be very welcome.

  解决方案

  You can easily add LDAP authentication to an Apache Httpd server.
  And you can easily add a smart http cgi script 'git-http-backend' (packaged with git)

  That means you can push to an https address, provided you did enter your LDAP credentials first. You are authorized to access the Apache pages, but the authentication isn't used at all.
  See "Difference between mod_authn_ldap and mod_authz_ldap".

  However:

  • that has no relation with the way you sign your commit
  • that doesn't take care of the authorization side on Git (if you are authenticated, you have access to the git repos), as mentioned in Distributed Version Control Systems and the Enterprise - a Good mix?.

  The only way to actually use the authentication, and combine with a Git authorization access is to use Gitolite.

  See for instance "Making repositories available to both ssh and http mode clients".

  I have setup gitolite with (multiple) LDAP authentication, making the authentication step in the Apache config file, and then calling gitolite with the identified user as a parameter:

  First I declare LDAP aliases:

  <AuthnProviderAlias ldap myldap>
    AuthLDAPBindDN cn=Manager,dc=example,dc=com
    AuthLDAPBindPassword secret
    AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*)
  </AuthnProviderAlias>
  
  <AuthnProviderAlias ldap companyldap>
    AuthLDAPBindDN "@LDAP_BINDDN@"
    AuthLDAPBindPassword @LDAP_PASSWORD@
    AuthLDAPURL @LDAP_URL@
  </AuthnProviderAlias>
  

  (The '@xx@' are templates to be replace by test or production values)

  Then I use those aliases in a VirtualHost in which I call gitolite (if the authentication succeeds)

  # GitHttp on @PORT_HTTP_HGIT@ (extract)
  Listen @PORT_HTTP_HGIT@
  <VirtualHost @FQN@:@PORT_HTTP_HGIT@>
      ServerName @FQN@
      ServerAlias @HOSTNAME@
      SetEnv GIT_PROJECT_ROOT @H@/repositories
      SetEnv GIT_HTTP_EXPORT_ALL
      SetEnv GITOLITE_HTTP_HOME @H@
      ScriptAlias /hgit/ @H@/sbin/gitolite-shell/  # <=== will call gitolite
      SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
      <Location /hgit>
          Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
          #AllowOverride All
          order allow,deny
          Allow from all
  
          AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
          AuthType Basic
          # Authentication against one ldap, then a second
          AuthBasicProvider myldap companyldap
          AuthzLDAPAuthoritative Off
          Require valid-user
          AddHandler cgi-script cgi
      </Location>
  </VirtualHost>
  

  这篇关于使用LDAP作为auth方法来管理git存储库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！