Git with Ldap on Ubuntu with Apache

Question

I'm new to Git and trying to get an installation of Git, Gitolite, and Gitweb working with LDAP. So far, we have Gitweb working with LDAP. I've reviewed many posts and guides posted around the web, but have not found a solution yet. This is on an Ubuntu 12.04.2 server with Apache 2.2.22. I'm not an expert in any of these technologies, so if I'm missing something obvious please let me know. :)

My site file contains:

<VirtualHost *:80>
    ServerAdmin admin
    ServerName myserver

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    DocumentRoot /home/git/myserver/http/

    <Directory /home/git/myserver/http/>
    </Directory>

   ErrorLog /home/git/myserver/logs/error.log
   CustomLog /home/git/myserver/logs/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    AssignUserID git git


</VirtualHost>

<VirtualHost myserver:443>
        ServerAdmin me
    ServerName myserver

    DocumentRoot /usr/share/gitweb/
    <Directory /usr/share/gitweb/>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "Git Server"
            AuthLDAPURL "ldaps://myldap:636/DC=XX,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
            AuthLDAPBindDN "CN=User,OU=Service Accounts,DC=XX,DC=com"
            AuthLDAPBindPassword "password"
            ### If you need them to be just a member of the domain, use this:
            #require ldap-attribute objectClass=user

            ### Group based authentication. Users should be part of the group exactly, and not nested inside other groups
            require ldap-group CN=XX,OU=Groups,DC=nov,DC=com
            require ldap-group CN=YY,OU=Security Mail Enabled,OU=Groups,DC=XX,DC=com
    </Directory>

   ErrorLog /home/git/myserver/logs/error.log
   CustomLog /home/git/myserver/logs/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    AssignUserID git git

    SSLEngine On
    SSLCertificateFile /etc/ssl/apache/myserver.cer
    SSLCertificateKeyFile /etc/ssl/apache/myserver.key


</VirtualHost>

My gitweb.conf file:

# path to git projects (<project>.git)
$projectroot = "/var/lib/gitolite/repositories";

# directory to use for temp files
$git_temp = "/tmp";

$site_name = "Git";

# target of the home link on top of all pages
#$home_link = $my_uri || "/";

# html text to include at home page
#$home_text = "indextext.html";

# file with project list; by default, simply scan the projectroot dir.
$projects_list = "/var/lib/gitolite/projects.list";

@git_base_url_list = qw(ssh://gitolite@myip);

# stylesheet to use
#@stylesheets = ("static/gitweb.css");

# javascript code for gitweb
#$javascript = "static/gitweb.js";

# logo to use
#$logo = "static/git-logo.png";

# the 'favicon'
#$favicon = "static/git-favicon.png";

# git-diff-tree(1) options to use for generated patches
#@diff_opts = ("-M");
@diff_opts = ();

$feature{'highlight'}{'default'} = [1];

And my conf.d/gitweb file:

Alias /gitweb /usr/share/gitweb

<Directory /usr/share/gitweb>
  Options FollowSymLinks +ExecCGI
  AddHandler cgi-script .cgi
</Directory>

Any thoughts or suggestions are much appreciated.

Thanks!

Answer 1

Git with LDAP (git itself, not gitweb) is precisely what I do in my project:
See my httpd.conf

I define first a couple of LDAP aliases (you can authenticate against several LDAP if you want):

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword secret
  AuthLDAPURL ldap://localhost:@PORT_LDAP_TEST@/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

# LDAP_START
<AuthnProviderAlias ldap companyldap>
  AuthLDAPBindDN "@LDAP_BINDDN@"
  AuthLDAPBindPassword @LDAP_PASSWORD@
  AuthLDAPURL @LDAP_URL@
</AuthnProviderAlias>
# LDAP_END

(All the @xxx@ you see are template placeholders that I replace with actual values later)

Then I define my VirtualHost (on a different port than the one used for gitweb):

(extract):

# GitHttp on @PORT_HTTP_HGIT@
Listen @PORT_HTTP_HGIT@
<VirtualHost @FQN@:@PORT_HTTP_HGIT@>
    ServerName @FQN@
    ServerAlias @HOSTNAME@

    SSLCertificateFile "@H@/apache/crt"
    SSLCertificateKeyFile "@H@/apache/key"
    SSLEngine on

    SetEnv GIT_PROJECT_ROOT @H@/repositories
    SetEnv GIT_HTTP_EXPORT_ALL
    SetEnv GITOLITE_HTTP_HOME @H@
    ScriptAlias /hgit/ @H@/sbin/gitolite-shell/
    SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Location /hgit>
        SSLOptions +StdEnvVars
        Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        #AllowOverride All
        order allow,deny
        Allow from all
        AuthName "LDAP authentication for Smart HTTP Git repositories"
        AuthType Basic
        AuthBasicProvider myldap companyldap
        AuthzLDAPAuthoritative Off
        Require valid-user
        AddHandler cgi-script cgi
    </Location>

</VirtualHost>

Here this is calling gitolite , but if you call directly git-http-backend (which is a script from git itself, nothing to do with gitolite), you would give unrestricted access to your git repo, through http(s) with LDAP authentication

ScriptAlias /hgit/ @H@/usr/local/apps/git/libexec/git-core/git-http-backend

Answer 2

Hope you got your problem fixed. I have been messing around a few days with Git / Gitweb / gitolite myself before I gave up and just installed GitLab using a Bitnami installer

Worked like a charm (some minor hickups but it was a real eye-opener for me: don't try to configure everything yourself if you can find a good "out-of-the-box" solution.