[Freeipa-users] SSO Git http smart server and freeipa group authentication
Fraser Tweedale
ftweedal at redhat.com
Sun Nov 8 22:59:54 UTC 2015
On Sun, Nov 08, 2015 at 02:07:23PM +0100, John Obaterspok wrote:
> Hello,
>
> Anyone got git-http-backend working with freeipa group auhentication and
> would like to share their apache .conf file?
>
>
> I've tried this on the IPA server with a dummy git repository setup in
> /opt/gitrepos/test1.git
> gitserver.my.lan is a CNAME for ipaserver.my.lan
>
> First, "git clone http://gitserver.my.lan/test1.git" prompts (even though I
> have a ticket) for user+pwd but still fails.
>
> Any suggestions are welcome!
>
> -- john
>
>
> <VirtualHost gitserver.my.lan:80>
>
> DocumentRoot /opt/gitrepos
>
> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
> # restorecon -R -v /opt/gitrepos
>
> SetEnv GIT_PROJECT_ROOT /opt/gitrepos
> SetEnv GIT_HTTP_EXPORT_ALL
> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> ScriptAlias / /usr/libexec/git-core/git-http-backend/
> ServerName gitserver.my.lan
>
> <Directory "/usr/libexec/git-core">
> Options Indexes
> AllowOverride None
> Require all granted
> </Directory>
>
> <Directory "/opt/gitrepos">
> Options Indexes
> AllowOverride None
> Require all granted
> </Directory>
>
> <LocationMatch "/">
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbAuthRealm MY.LAN
> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> KrbSaveCredentials on
> KrbVerifyKDC on
> KrbServiceName HTTP
>
> AuthLDAPUrl
> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
> Require ldap-group cn=ipausers,dc=my,dc=lan
> # Allow anyone authenticated users that are ina ipausers
> group to clone
> </LocationMatch>
> </VirtualHost>
> ~
> ~
> ~
Hi John,
Have a look at this Stack Overflow question:
http://stackoverflow.com/questions/32788405/how-to-force-git-2-5-http-transport-prefer-spnego-over-basic-authentication
Make sure you provide a (fake) username to trigger the SPNEGO
authentication code. If this does not work please run with
`GIT_CURL_VERBOSE=1' in environment to reveal what is going on
behind the scenes.
Cheers,
Fraser
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list