[Freeipa-users] SSO Git http smart server and freeipa group authentication

Fraser Tweedale ftweedal at redhat.com
Thu Nov 12 01:19:00 UTC 2015 

On Wed, Nov 11, 2015 at 10:26:11PM +0100, John Obaterspok wrote:
> Thanks Simo & Fraser,
> 
> Creating a .netrc file on the client computer with according to the SO
> postings with below content made things work perfectly!
> machine gitserver.my.lan  username '' password ''
> machine gitserver         username '' password ''
> 
> I would like to use TLS and I've made it work by turning off ssl validation
> in git:
> git config --global http.sslVerify false
> 
> If I would like to use ssl validation, is there some way to use a
> certificate for the CNAME? Seems I can only add certificate (at least from
> the UI) for a valid principal?
> 
> (I'm using freeipa-server 4.2.3 on F23)
> 
> Regards,
> 
> -- john
> 
Hi John, glad to hear of your success.

For a certificate, you can add the (bogus) host and the principal
and then issue a certificate in the normal way.

  $ ipa host-add gitserver.my.lan
  $ ipa service-add HTTP/gitserver.my.lan

I'm not sure if there's a way to add the principal directly, absent
a corresponding host.  If someone knows how please speak up!

Cheers,
Fraser

> 
> 2015-11-08 23:55 GMT+01:00 Simo Sorce <simo at redhat.com>:
> 
> > On 08/11/15 08:07, John Obaterspok wrote:
> >
> >> Hello,
> >>
> >> Anyone got git-http-backend working with freeipa group auhentication and
> >> would like to share their apache .conf file?
> >>
> >>
> >> I've tried this on the IPA server with a dummy git repository setup in
> >> /opt/gitrepos/test1.git
> >> gitserver.my.lan is a CNAME for ipaserver.my.lan
> >>
> >> First, "git clone http://gitserver.my.lan/test1.git" prompts (even
> >> though I
> >> have a ticket) for user+pwd but still fails.
> >>
> >> Any suggestions are welcome!
> >>
> >> -- john
> >>
> >>
> >> <VirtualHost gitserver.my.lan:80>
> >>
> >>          DocumentRoot /opt/gitrepos
> >>
> >>          # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
> >>          # restorecon -R -v /opt/gitrepos
> >>
> >>          SetEnv GIT_PROJECT_ROOT /opt/gitrepos
> >>          SetEnv GIT_HTTP_EXPORT_ALL
> >>          SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> >>          ScriptAlias / /usr/libexec/git-core/git-http-backend/
> >>          ServerName gitserver.my.lan
> >>
> >>          <Directory "/usr/libexec/git-core">
> >>                  Options Indexes
> >>                  AllowOverride None
> >>                  Require all granted
> >>          </Directory>
> >>
> >>          <Directory "/opt/gitrepos">
> >>                  Options Indexes
> >>                  AllowOverride None
> >>                  Require all granted
> >>          </Directory>
> >>
> >>          <LocationMatch "/">
> >>                  AuthType Kerberos
> >>                  AuthName "Kerberos Login"
> >>                  KrbAuthRealm MY.LAN
> >>                  Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >>                  KrbMethodNegotiate on
> >>                  KrbMethodK5Passwd off
> >>                  KrbSaveCredentials on
> >>                  KrbVerifyKDC on
> >>                  KrbServiceName HTTP
> >>
> >>                  AuthLDAPUrl
> >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
> >>                  Require ldap-group cn=ipausers,dc=my,dc=lan
> >>
> >
> > This should probably be somehting like:
> > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> >
> > Although you should probably create a git specific group, especially if
> > you want it to be a posix group that can own files (ipausers is not a posix
> > group and we are actually trying to phase it out)
> >
> > Also you are not doing LDAP authentication, you only want to do
> > authorization, and for that you may want to actually use nsswitch based
> > authorization which can be cached by sssd and not a query out to LDAP for
> > each connection.
> > Unfortunately the basic Apache modules do not support system group
> > authentication directly, so what you may do instead is to have a cron job
> > that do the following:
> > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
> >
> > And in apache have set the following directives instead of the above two:
> > AuthGroupFile /my/authorization/file
> > Require group git-users
> >
> > HTH,
> > Simo
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list