openldap - Using LDAP as auth method to manage git repositories

Question

Does anyone have experience using LDAP as auth method to manage Git Repositories, my boss prefers using LDAP than other tools. Any suggestion will be help! More detailed information will be very welcome.

Answer 1

You can easily add LDAP authentication to an Apache Httpd server.
And you can easily add a smart http cgi script 'git-http-backend' (packaged with git)

That means you can push to an https address, provided you did enter your LDAP credentials first. You are authorized to access the Apache pages, but the authentication isn't used at all.
See "Difference between mod_authn_ldap and mod_authz_ldap".

However:

• that has no relation with the way you sign your commit
• that doesn't take care of the authorization side on Git (if you are authenticated, you have access to the git repos), as mentioned in Distributed Version Control Systems and the Enterprise - a Good mix?.

The only way to actually use the authentication, and combine with a Git authorization access is to use Gitolite.

See for instance "Making repositories available to both ssh and http mode clients".

I have setup gitolite with (multiple) LDAP authentication, making the authentication step in the Apache config file, and then calling gitolite with the identified user as a parameter:

First I declare LDAP aliases:

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword secret
  AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

<AuthnProviderAlias ldap companyldap>
  AuthLDAPBindDN "@LDAP_BINDDN@"
  AuthLDAPBindPassword @LDAP_PASSWORD@
  AuthLDAPURL @LDAP_URL@
</AuthnProviderAlias>

(The '@xx@' are templates to be replace by test or production values)

Then I use those aliases in a VirtualHost in which I call gitolite (if the authentication succeeds)

# GitHttp on @PORT_HTTP_HGIT@ (extract)
Listen @PORT_HTTP_HGIT@
<VirtualHost @FQN@:@PORT_HTTP_HGIT@>
    ServerName @FQN@
    ServerAlias @HOSTNAME@
    SetEnv GIT_PROJECT_ROOT @H@/repositories
    SetEnv GIT_HTTP_EXPORT_ALL
    SetEnv GITOLITE_HTTP_HOME @H@
    ScriptAlias /hgit/ @H@/sbin/gitolite-shell/  # <=== will call gitolite
    SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
    <Location /hgit>
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        #AllowOverride All
        order allow,deny
        Allow from all

        AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
        AuthType Basic
        # Authentication against one ldap, then a second
        AuthBasicProvider myldap companyldap
        AuthzLDAPAuthoritative Off
        Require valid-user
        AddHandler cgi-script cgi
    </Location>
</VirtualHost>