[Freeipa-users] SSO Git http smart server and freeipa group authentication
John Obaterspok
john.obaterspok at gmail.com
Sun Nov 8 13:07:23 UTC 2015
Hello,
Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?
I've tried this on the IPA server with a dummy git repository setup in
/opt/gitrepos/test1.git
gitserver.my.lan is a CNAME for ipaserver.my.lan
First, "git clone http://gitserver.my.lan/test1.git" prompts (even though I
have a ticket) for user+pwd but still fails.
Any suggestions are welcome!
-- john
<VirtualHost gitserver.my.lan:80>
DocumentRoot /opt/gitrepos
# semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
# restorecon -R -v /opt/gitrepos
SetEnv GIT_PROJECT_ROOT /opt/gitrepos
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ServerName gitserver.my.lan
<Directory "/usr/libexec/git-core">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<Directory "/opt/gitrepos">
Options Indexes
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm MY.LAN
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName HTTP
AuthLDAPUrl
ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
Require ldap-group cn=ipausers,dc=my,dc=lan
# Allow anyone authenticated users that are ina ipausers
group to clone
</LocationMatch>
</VirtualHost>
~
~
~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151108/db89ef84/attachment.htm>
More information about the Freeipa-users
mailing list