[Freeipa-users] Suppressing the domain section after authentication
Rob Crittenden
rcritten at redhat.com
Wed May 29 21:12:09 UTC 2013
William Muriithi wrote:
> Hello
>
> I have set up gitolite3 and its working fine when I connect to it
> through ssh. I am using LDAP (FreeIPA) for authorization.
>
> When I connect through http/https, I am authenticated, but I believe
> authorization is not working. I have not been able to figure how to
> work around it..
>
> git clone http://william@git1.example.com/git/Design.git
>
> But after Apache authenticate me, it passes william at EXAMPLE.LOC not
> william to gitolite. When the name william at EXAMPLE.LOC is passed to
> the group searching script, it returns null and hence the error below
>
>
> 2013-05-29.14:51:19 12567 access(Design,
> william at EXAMPLE.LOC, R, 'any'),-> R any Design william at EXAMPLE.LOC
> DENIED by fallthru
> 2013-05-29.14:51:19 12567 trigger,Writable,access_1,
> ACCESS_1,Design,william at EXAMPLE.LOC,R,any,R any Design
> william at EXAMPLE.LOC DENIED by fallthru
> 2013-05-29.14:51:19 12567 die R any Design
> william at EXAMPLE.LOC DENIED by fallthru<<newline>>(or you mis-spelled
> the reponame)
>
>
> The question is, how would I coerce apache or kerberos to pass
> gitolite only section before the @ character?
>
With mod_auth_kerb >= 5.4 you can use KrbLocalUserMapping on to strip
the realm.
rob
More information about the Freeipa-users
mailing list