本文指导如何在Apache配置中引入LDAP模块,通过LDAP进行Git服务器认证,以实现更无缝的身份验证流程,并减少手动管理访问权限的工作量。
In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication using LDAP so that authentication become more seamless and
avoid any sort of manual work for managing access when you have LDAP for authenticating users.
Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:
************************************
$ httpd -M
.. ldap_module (shared)
authnz_ldap_module (shared)
************************************
If this is not the case, then please install these modules and make sure you load them in your Apache config (usually /etc/httpd/conf/httpd.conf 或者 /etc/apache2/apache2.conf) like this:
************************************************************************
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
************************************************************************
After having these modules to facilitate authentication, we need to remove or comment out following lines in our git config file /etc/httpd/conf.d/git.conf(对应的是apache下对gerrit的配置文件):
************************************************************************
<Location />
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /var/www/gitweb/passfile
</Location>
************************************************************************
After removing or commenting out above lines, put these lines in the file:
************************************************************************************************************
<Location "/">
AuthType Basic
AuthName "Git Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://<my ad server>:389/ou=xx,dc=xx,dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN <user>@<mydomain>
AuthLDAPBindPassword <user password>
Require valid-user
</Location>
************************************************************************************************************
Here make sure to supply correct LDAP url and provide info of one user and its password so that Apache can contact LDAP to retrieve authentication information. You also needs to update gitolite.conf to manage authorization for git repositories for LDAP user.
Common issues:
If authentication not working, put “Loglevel Debug” option in your Apache VirtualHost and check Apache error logs. In case you notice following error:
************************************************************************************************************************************************
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(454): [client xx.xx.xx.xx] [25749] auth_ldap authenticate: accepting user.name
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(821): [client xx.xx.xx.xx] [25749] auth_ldap authorise: declining to authorise
************************************************************************************************************************************************
Then make sure AuthzLDAPAuthoritative off entry is there in Apache git config file, I have already mentioned it above just in case if you missed it.
In case you notice “[User Not Found]” in error log, then check your user name again and make sure the user exist in correct OU/group specified in ldap url.
Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:
************************************
$ httpd -M
.. ldap_module (shared)
authnz_ldap_module (shared)
************************************
If this is not the case, then please install these modules and make sure you load them in your Apache config (usually /etc/httpd/conf/httpd.conf 或者 /etc/apache2/apache2.conf) like this:
************************************************************************
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
************************************************************************
After having these modules to facilitate authentication, we need to remove or comment out following lines in our git config file /etc/httpd/conf.d/git.conf(对应的是apache下对gerrit的配置文件):
************************************************************************
<Location />
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /var/www/gitweb/passfile
</Location>
************************************************************************
After removing or commenting out above lines, put these lines in the file:
************************************************************************************************************
<Location "/">
AuthType Basic
AuthName "Git Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://<my ad server>:389/ou=xx,dc=xx,dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN <user>@<mydomain>
AuthLDAPBindPassword <user password>
Require valid-user
</Location>
************************************************************************************************************
Here make sure to supply correct LDAP url and provide info of one user and its password so that Apache can contact LDAP to retrieve authentication information. You also needs to update gitolite.conf to manage authorization for git repositories for LDAP user.
Common issues:
If authentication not working, put “Loglevel Debug” option in your Apache VirtualHost and check Apache error logs. In case you notice following error:
************************************************************************************************************************************************
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(454): [client xx.xx.xx.xx] [25749] auth_ldap authenticate: accepting user.name
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(821): [client xx.xx.xx.xx] [25749] auth_ldap authorise: declining to authorise
************************************************************************************************************************************************
Then make sure AuthzLDAPAuthoritative off entry is there in Apache git config file, I have already mentioned it above just in case if you missed it.
In case you notice “[User Not Found]” in error log, then check your user name again and make sure the user exist in correct OU/group specified in ldap url.
转自:http://linuxadminzone.com/how-to-setup-git-http-authentication-using-ldap-in-apache/
In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication
using LDAP so that authentication become more seamless and avoid any sort of manual work for managing access when you have LDAP for authenticating users. - See more at: http://linuxadminzone.com/how-to-setup-git-http-authentication-using-ldap-in-apache/#sthash.Wk2W2jAr.dpuf
扫一扫
899
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
