[Freeipa-users] SSO Git http smart server and freeipa group authentication
Fraser Tweedale
ftweedal at redhat.com
Thu Nov 12 01:19:00 UTC 2015
On Wed, Nov 11, 2015 at 10:26:11PM +0100, John Obaterspok wrote:
> Thanks Simo & Fraser,
>
> Creating a .netrc file on the client computer with according to the SO
> postings with below content made things work perfectly!
> machine gitserver.my.lan username '' password ''
> machine gitserver username '' password ''
>
> I would like to use TLS and I've made it work by turning off ssl validation
> in git:
> git config --global http.sslVerify false
>
> If I would like to use ssl validation, is there some way to use a
> certificate for the CNAME? Seems I can only add certificate (at least from
> the UI) for a valid principal?
>
> (I'm using freeipa-server 4.2.3 on F23)
>
> Regards,
>
> -- john
>
Hi John, glad to hear of your success.
For a certificate, you can add the (bogus) host and the principal
and then issue a certificate in the normal way.
$ ipa host-add gitserver.my.lan
$ ipa service-add HTTP/gitserver.my.lan
I'm not sure if there's a way to add the principal directly, absent
a corresponding host. If someone knows how please speak up!
Cheers,
Fraser
>
> 2015-11-08 23:55 GMT+01:00 Simo Sorce <simo at redhat.com>:
>
> > On 08/11/15 08:07, John Obaterspok wrote:
> >
> >> Hello,
> >>
> >> Anyone got git-http-backend working with freeipa group auhentication and
> >> would like to share their apache .conf file?
> >>
> >>
> >> I've tried this on the IPA server with a dummy git repository setup in
> >> /opt/gitrepos/test1.git
> >> gitserver.my.lan is a CNAME for ipaserver.my.lan
> >>
> >> First, "git clone http://gitserver.my.lan/test1.git" prompts (even
> >> though I
> >> have a ticket) for user+pwd but still fails.
> >>
> >> Any suggestions are welcome!
> >>
> >> -- john
> >>
> >>
> >> <VirtualHost gitserver.my.lan:80>
> >>
> >> DocumentRoot /opt/gitrepos
> >>
> >> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
> >> # restorecon -R -v /opt/gitrepos
> >>
> >> SetEnv GIT_PROJECT_ROOT /opt/gitrepos
> >> SetEnv GIT_HTTP_EXPORT_ALL
> >> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> >> ScriptAlias / /usr/libexec/git-core/git-http-backend/
> >> ServerName gitserver.my.lan
> >>
> >> <Directory "/usr/libexec/git-core">
> >> Options Indexes
> >> AllowOverride None
> >> Require all granted
> >> </Directory>
> >>
> >> <Directory "/opt/gitrepos">
> >> Options Indexes
> >> AllowOverride None
> >> Require all granted
> >> </Directory>
> >>
> >> <LocationMatch "/">
> >> AuthType Kerberos
> >> AuthName "Kerberos Login"
> >> KrbAuthRealm MY.LAN
> >> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >> KrbMethodNegotiate on
> >> KrbMethodK5Passwd off
> >> KrbSaveCredentials on
> >> KrbVerifyKDC on
> >> KrbServiceName HTTP
> >>
> >> AuthLDAPUrl
> >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
> >> Require ldap-group cn=ipausers,dc=my,dc=lan
> >>
> >
> > This should probably be somehting like:
> > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> >
> > Although you should probably create a git specific group, especially if
> > you want it to be a posix group that can own files (ipausers is not a posix
> > group and we are actually trying to phase it out)
> >
> > Also you are not doing LDAP authentication, you only want to do
> > authorization, and for that you may want to actually use nsswitch based
> > authorization which can be cached by sssd and not a query out to LDAP for
> > each connection.
> > Unfortunately the basic Apache modules do not support system group
> > authentication directly, so what you may do instead is to have a cron job
> > that do the following:
> > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
> >
> > And in apache have set the following directives instead of the above two:
> > AuthGroupFile /my/authorization/file
> > Require group git-users
> >
> > HTH,
> > Simo
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list