使用LDAP作为auth方法来管理git存储库 [英] Using LDAP as auth method to manage git repositories
问题描述
有人有使用LDAP作为auth方法来管理Git仓库的经验,我的老板比其他工具更喜欢使用LDAP。任何建议将是帮助!更详细的信息将非常受欢迎。 您可以轻松地将LDAP身份验证添加到Apache Httpd服务器。 $ b您可以轻松添加智能http cgi脚本'git -http-backend'(与git打包在一起)
这意味着你可以推送到https地址,前提是你首先输入了LDAP凭证。您被授权访问Apache页面,但根本不使用认证。
请参阅 mod_authn_ldap和mod_authz_ldap之间的区别。
然而:
- 与您签署提交的方式没有关系
- 不关心Git上的授权方(if你被认证了,你可以访问git仓库),如分布式版本控制系统和企业 - 一个好的组合?。 b
实际使用身份验证的方式,并结合Git授权访问权限是使用 Gitolite 即可。
我使用(多个)LDAP身份验证,在Apache配置文件中进行身份验证步骤,然后使用标识的用户作为参数调用gitolite:
首先我声明
< AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn = Manager,dc = example,dc = com
AuthLDAPBindPassword secret
AuthLDAPURL ldap:// localhost:@ PORT_LDAP_TEST @ / dc = example,dc = com?uid?sub?( objectClass = *)
< / AuthnProviderAlias>
< AuthnProviderAlias ldap companyldap>
AuthLDAPBindDN@ LDAP_BINDDN @
AuthLDAPBindPassword @ LDAP_PASSWORD @
AuthLDAPURL @ LDAP_URL @
< / AuthnProviderAlias>
(
@xx @
'是模板将被测试或生产值替换)
然后我在
VirtualHost
中使用这些别名,其中我称之为gitolite
(如果认证成功)
$ pre $ G $ @ $ @ b Listen @ PORT_HTTP_HGIT @
< VirtualHost @FQN @:@ PORT_HTTP_HGIT @>
ServerName @ FQN @
ServerAlias @ HOSTNAME @
SetEnv GIT_PROJECT_ROOT @ H @ /存储库
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME @ H @
ScriptAlias / hgit / @ H @ / sbin / gitolite-shell /#< ===将调用gitolite
SetEnv GIT_HTTP_BACKEND@ H @ / usr / local / apps / git / libexec / git-core / git-http-backend
< Location / hgit>
选项ExecCGI + FollowSymLinks + SymLinksIfOwnerMatch
#AllowOverride全部
命令允许,拒绝
允许所有
AuthNameITSVC智能HTTP Git存储库的LDAP身份验证
AuthType Basic
#对一个ldap进行身份验证,然后进行一次
验证AuthBasicProvider myldap companyldap
AuthzLDAPAuthoritative Off
需要有效用户
AddHandler cgi-script cgi
< / Location>
< / VirtualHost>
Does anyone have experience using LDAP as auth method to manage Git Repositories, my boss prefers using LDAP than other tools. Any suggestion will be help! More detailed information will be very welcome.
解决方案You can easily add LDAP authentication to an Apache Httpd server.
And you can easily add a smart http cgi script 'git-http-backend' (packaged with git)That means you can push to an https address, provided you did enter your LDAP credentials first. You are authorized to access the Apache pages, but the authentication isn't used at all.
See "Difference between mod_authn_ldap and mod_authz_ldap".However:
- that has no relation with the way you sign your commit
- that doesn't take care of the authorization side on Git (if you are authenticated, you have access to the git repos), as mentioned in Distributed Version Control Systems and the Enterprise - a Good mix?.
The only way to actually use the authentication, and combine with a Git authorization access is to use Gitolite.
See for instance "Making repositories available to both ssh and http mode clients".
I have setup gitolite with (multiple) LDAP authentication, making the authentication step in the Apache config file, and then calling gitolite with the identified user as a parameter:
First I declare LDAP aliases:
<AuthnProviderAlias ldap myldap> AuthLDAPBindDN cn=Manager,dc=example,dc=com AuthLDAPBindPassword secret AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*) </AuthnProviderAlias> <AuthnProviderAlias ldap companyldap> AuthLDAPBindDN "@LDAP_BINDDN@" AuthLDAPBindPassword @LDAP_PASSWORD@ AuthLDAPURL @LDAP_URL@ </AuthnProviderAlias>
(The '
@xx@
' are templates to be replace by test or production values)Then I use those aliases in a
VirtualHost
in which I callgitolite
(if the authentication succeeds)# GitHttp on @PORT_HTTP_HGIT@ (extract) Listen @PORT_HTTP_HGIT@ <VirtualHost @FQN@:@PORT_HTTP_HGIT@> ServerName @FQN@ ServerAlias @HOSTNAME@ SetEnv GIT_PROJECT_ROOT @H@/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv GITOLITE_HTTP_HOME @H@ ScriptAlias /hgit/ @H@/sbin/gitolite-shell/ # <=== will call gitolite SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend" <Location /hgit> Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch #AllowOverride All order allow,deny Allow from all AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories" AuthType Basic # Authentication against one ldap, then a second AuthBasicProvider myldap companyldap AuthzLDAPAuthoritative Off Require valid-user AddHandler cgi-script cgi </Location> </VirtualHost>
这篇关于使用LDAP作为auth方法来管理git存储库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!