[Freeipa-users] SSO Git http smart server and freeipa group authentication

Simo Sorce simo at redhat.com
Sun Nov 8 22:55:19 UTC 2015 

On 08/11/15 08:07, John Obaterspok wrote:
> Hello,
>
> Anyone got git-http-backend working with freeipa group auhentication and
> would like to share their apache .conf file?
>
>
> I've tried this on the IPA server with a dummy git repository setup in
> /opt/gitrepos/test1.git
> gitserver.my.lan is a CNAME for ipaserver.my.lan
>
> First, "git clone http://gitserver.my.lan/test1.git" prompts (even though I
> have a ticket) for user+pwd but still fails.
>
> Any suggestions are welcome!
>
> -- john
>
>
> <VirtualHost gitserver.my.lan:80>
>
>          DocumentRoot /opt/gitrepos
>
>          # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
>          # restorecon -R -v /opt/gitrepos
>
>          SetEnv GIT_PROJECT_ROOT /opt/gitrepos
>          SetEnv GIT_HTTP_EXPORT_ALL
>          SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>          ScriptAlias / /usr/libexec/git-core/git-http-backend/
>          ServerName gitserver.my.lan
>
>          <Directory "/usr/libexec/git-core">
>                  Options Indexes
>                  AllowOverride None
>                  Require all granted
>          </Directory>
>
>          <Directory "/opt/gitrepos">
>                  Options Indexes
>                  AllowOverride None
>                  Require all granted
>          </Directory>
>
>          <LocationMatch "/">
>                  AuthType Kerberos
>                  AuthName "Kerberos Login"
>                  KrbAuthRealm MY.LAN
>                  Krb5KeyTab /etc/httpd/conf/ipa.keytab
>                  KrbMethodNegotiate on
>                  KrbMethodK5Passwd off
>                  KrbSaveCredentials on
>                  KrbVerifyKDC on
>                  KrbServiceName HTTP
>
>                  AuthLDAPUrl
> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
>                  Require ldap-group cn=ipausers,dc=my,dc=lan

This should probably be somehting like: 
cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan

Although you should probably create a git specific group, especially if 
you want it to be a posix group that can own files (ipausers is not a 
posix group and we are actually trying to phase it out)

Also you are not doing LDAP authentication, you only want to do 
authorization, and for that you may want to actually use nsswitch based 
authorization which can be cached by sssd and not a query out to LDAP 
for each connection.
Unfortunately the basic Apache modules do not support system group 
authentication directly, so what you may do instead is to have a cron 
job that do the following:
getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file

And in apache have set the following directives instead of the above two:
AuthGroupFile /my/authorization/file
Require group git-users

HTH,
Simo


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list