问题
Does anyone have experience using LDAP as auth method to manage Git Repositories, my boss prefers using LDAP than other tools. Any suggestion will be help! More detailed information will be very welcome.
回答1:
You can easily add LDAP authentication to an Apache Httpd server.
And you can easily add a smart http cgi script 'git-http-backend' (packaged with git)
That means you can push to an https address, provided you did enter your LDAP credentials first. You are authorized to access the Apache pages, but the authentication isn't used at all.
See "Difference between mod_authn_ldap and mod_authz_ldap".
However:
- that has no relation with the way you sign your commit
- that doesn't take care of the authorization side on Git (if you are authenticated, you have access to the git repos), as mentioned in Distributed Version Control Systems and the Enterprise - a Good mix?.
The only way to actually use the authentication, and combine with a Git authorization access is to use Gitolite.
See for instance "Making repositories available to both ssh and http mode clients".
I have setup gitolite with (multiple) LDAP authentication, making the authentication step in the Apache config file, and then calling gitolite with the identified user as a parameter:
First I declare LDAP aliases:
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>
<AuthnProviderAlias ldap companyldap>
AuthLDAPBindDN "@LDAP_BINDDN@"
AuthLDAPBindPassword @LDAP_PASSWORD@
AuthLDAPURL @LDAP_URL@
</AuthnProviderAlias>
(The '@xx@' are templates to be replace by test or production values)
Then I use those aliases in a VirtualHost in which I call gitolite (if the authentication succeeds)
# GitHttp on @PORT_HTTP_HGIT@ (extract)
Listen @PORT_HTTP_HGIT@
<VirtualHost @FQN@:@PORT_HTTP_HGIT@>
ServerName @FQN@
ServerAlias @HOSTNAME@
SetEnv GIT_PROJECT_ROOT @H@/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME @H@
ScriptAlias /hgit/ @H@/sbin/gitolite-shell/ # <=== will call gitolite
SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
<Location /hgit>
Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
#AllowOverride All
order allow,deny
Allow from all
AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
AuthType Basic
# Authentication against one ldap, then a second
AuthBasicProvider myldap companyldap
AuthzLDAPAuthoritative Off
Require valid-user
AddHandler cgi-script cgi
</Location>
</VirtualHost>
回答2:
Since you mention OpenLDAP, I'm assuming you want to make this work on a Unix/Linux environment.
Git itself doesn't do authentication afaik. You need to setup ldap to manage the service used to access the git repository. For example if you use SSH then configure your SSH daemon to authenticate against ldap.
How to configure that exactly depends on the exact setup you're using. If you need help with that I recommend posting a detailed question over on serverfault.com.
You may also find this related question interesting.
来源:https://stackoverflow.com/questions/7709474/using-ldap-as-auth-method-to-manage-git-repositories