2014. április 30., szerda

ULTIMATE howto for GIT with LDAP auth

There are lots of tutorials on this subject but hardy any of them are straigtforward and up-to-date. For me, it took plenty of days to get this disguisting system work on a Debian. (BTW, SVN FTW :))
Note that there are two, I repeat two methods to work with a GIT server: webdav and git-http-backend.
Webdav is nicer and cheaper but it has some drawbacks. No further details about it here.
In the following we will setup a version hosting and control system called git with git-http-backend and an authentication mechanism against an LDAP server. My internal domain name is ring.local and my external hostname is git.ring-of-fire.com
We will set up a gitweb to ease the supervision.
If everything's going well, entering https://git.ring-of-fire.com/web in a browser and having confirmed that you are a member of ring_developers_webadmin, you will have your gitweb console.
Then you enter https://git.ring-of-fire.com/git/YourMightyRepo in your GIT client and confirm yourself to be a valid member of the ring_developers LDAP group.
Successfully authorized... guess what. We happy Vincent?

What to do in a nutshell. (version numbers are valid only for April 2014)
1
apt-get install....

ii apache2 2.2.22-13+deb7u1 i386 Apache HTTP Server metapackage 
ii apache2-mpm-worker 2.2.22-13+deb7u1 i386 Apache HTTP Server - high speed threaded model 
ii apache2-utils 2.2.22-13+deb7u1 i386 utility programs for webservers 
ii apache2.2-bin 2.2.22-13+deb7u1 i386 Apache HTTP Server common binary files 
ii apache2.2-common 2.2.22-13+deb7u1 i386 Apache HTTP Server common files 
ii git 1:1.7.10.4-1+wheezy1 i386 fast, scalable, distributed revision control system 
ii git-core 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (obsolete)
ii git-man 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (manual pages)
ii gitweb 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (web interface) 

2
root@git:/etc/apache2/sites-enabled# cat *  

ServerName git.ring-of-fire.com # real FQDN, IMPORTART!! for git's sake
 <VirtualHost *:80>
ServerAdmin webmaster@localhost

 DocumentRoot /var/www/default  
Options -Indexes -FollowSymLinks -MultiViews AllowOverride None 
ErrorLog ${APACHE_LOG_DIR}/zhttp-error.log 
LogLevel warn 
CustomLog ${APACHE_LOG_DIR}/zhttp-access.log combined 
# a default site with any kind of index.html or .htaccess  
 </VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost 
DocumentRoot /var/www 
Options Indexes FollowSymLinks MultiViews AllowOverride All  
ErrorLog ${APACHE_LOG_DIR}/error.log 
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined 
SSLEngine On 
SSLCertificateFile /etc/apache2/ssl/git_ring.crt 
SSLCertificateKeyFile /etc/apache2/ssl/git_ring.key 
SSLCACertificateFile /etc/apache2/ssl/git_ring_bundle.ca 
BrowserMatch "git" nokeepalive ssl-unclean-shutdown 
 # this https site is for the real use 
 </VirtualHost>

3
root@git:/etc# cat gitweb.conf
# path to git projects (<project>.git)
$projectroot = "/var/www/git"
;
....
This is the only parameter you need to change.

4
root@git:/etc/apache2/conf.d# cat git.conf 
SetEnv GIT_PROJECT_ROOT /var/www/git # check
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git /usr/lib/git-core/git-http-backend/ # check twice if this dir exists

<Directory "/usr/lib/git-core">
  Options +ExecCGI
  Allow From All
</Directory>

AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          /var/www/git/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
ScriptAliasMatch \
    "(?x)^/git/(.*/(HEAD | \
            info/refs | \
            objects/info/[^/]+ | \
            git-(upload|receive)-pack))$" \
    /usr/lib/git-core/git-http-backend/$1

<Location "/git/YourMightyREPO">
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "Git Server"
         AuthLDAPURL "ldap://YourLDAPServerIP:389/OU=YourADOU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=Your auth user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
       Require ldap-group                 CN=ring_developers,OU=your_groups_container_OU,DC=ring,DC=local

</Location>


5
root@git:/etc/apache2/conf.d# cat gitweb.conf
Alias /web "/usr/share/gitweb/" # Check if /usr/share/gitweb there exists. Note the string /web

<Directory "/usr/share/gitweb">
    Options ExecCGI
    AllowOverride None
    AddHandler cgi-script .cgi
    DirectoryIndex gitweb.cgi
    Order deny,allow
    Allow from all

    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "GITWEB for RING"
     AuthLDAPURL "ldap://YourLDAPserverIP:389/OU=your_users_container_OU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "CN=Your LDAP bind user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
        Require ldap-group CN=ring_developers_webadmin,OU=your_groups_container_OU,DC=ring,DC=local



6
Initialize, check and done.

root@git:/var/www/default# ls
index.html


root@git:# cd /var/www/git/
root@git:/var/www/git# ls
[nope]

mkdir YourMightyRepo && cd * && git --bare init
cd .. && chown www-data:www-data * -R
service apache2 restart
get-a-coffee


For further reference, find some more totally useless and misleading info here: http://git-scm.com/docs/git-http-backend