Git LDAP Authentication

Question

For some time I've been trying to establish LDAP user authentication for git using Smart HTTP and Apache web server.

I did manage to set LDAP authentication for Apache but I make git work with it. Each time I'm trying to clone git repo I get HTTP error with code 403 - forbidden. Mostly I was following this tutorial - https://loutilities.wordpress.com/2011/08/12/setting-up-git-with-apache-smart-https-and-ldap/ .

According to error.log trace it looks like git doesn't provide required credentials, but I don't know how to resolve this. I'm sure that ldap queries are correct, at least authentication was held correctly without git backend.

Can someone please tell me what is wrong with my settings?

Many thanks in advance.

Below I have provided some info I retrieved:

.htaccess (in dev.git folder)

Options +ExecCGI
AuthName "Top Secret"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL "ldap://192.168.0.119:389/ou=users,dc=example,dc=net"
<RequireAll>
Require ldap-group cn=development,ou=groups,dc=example,dc=net
Require ldap-group cn=test_project,ou=projects,dc=example,dc=net
</RequireAll>

Apache error.log

[Sat Oct 03 13:28:37.372499 2015] [http:trace4] [pid 4421] http_request.c(301): [client x.x.x.x:50419] Headers received from client:

[Sat Oct 03 13:28:37.372526 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   Host: some.host.com

[Sat Oct 03 13:28:37.372529 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   User-Agent: git/2.5.1.windows.1

[Sat Oct 03 13:28:37.372531 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   Accept: */*

[Sat Oct 03 13:28:37.372532 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   Accept-Encoding: gzip

[Sat Oct 03 13:28:37.372534 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   Accept-Language: ru-RU, *;q=0.9

[Sat Oct 03 13:28:37.372535 2015] [http:trace4] [pid 4421] http_request.c(305): [client x.x.x.x:50419]   Pragma: no-cache

[Sat Oct 03 13:28:37.372583 2015] [authz_core:debug] [pid 4421] mod_authz_core.c(809): [client x.x.x.x:50419] AH01626: authorization result of Require all denied: denied

[Sat Oct 03 13:28:37.372588 2015] [authz_core:debug] [pid 4421] mod_authz_core.c(809): [client x.x.x.x:50419] AH01626: authorization result of <RequireAny>: denied

[Sat Oct 03 13:28:37.372590 2015] [authz_core:error] [pid 4421] [client x.x.x.x:50419] AH01630: client denied by server configuration: /usr/lib/git-core/git-http-backend

[Sat Oct 03 13:28:37.372592 2015] [core:trace3] [pid 4421] request.c(119): [client x.x.x.x:50419] auth phase 'check access' gave status 403: /git/test_project/dev.git/info/refs

[Sat Oct 03 13:28:37.372616 2015] [http:trace3] [pid 4421] http_filters.c(1004): [client x.x.x.x:50419] Response sent with status 403, headers:

[Sat Oct 03 13:28:37.372623 2015] [http:trace4] [pid 4421] http_filters.c(833): [client x.x.x.x:50419]   Content-Length: 324

[Sat Oct 03 13:28:37.372634 2015] [http:trace4] [pid 4421] http_filters.c(833): [client x.x.x.x:50419]   Content-Type: text/html; charset=iso-8859-1

Apache.conf

SetEnv GIT_PROJECT_ROOT /var/www/html/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/

Answer 1

I have use LDAP-based authentication in my project before (see this Apache config file ), but the RequireAll section always included a Require valid-user :

      <RequireAll>
        Require valid-user
        Require ldap-group @LDAP_GROUP@
      </RequireAll>

Answer 2

I just added one more Directory description and it worked:

<Directory "/usr/lib/git-core*">
   Options ExecCGI Indexes
   Order allow,deny
   Allow from all
   Require all granted
</Directory>

Thanks.