Windows authentication in Gitblit using active directory

2,037 views
Skip to first unread message

Deepankar Dhoundiyal

unread,
Oct 30, 2013, 2:49:51 AM10/30/13
to git...@googlegroups.com
I am trying to use windows active directory authentication for authenticating users to provide access to a repository for push,pull and clone.
It has been mentioned on this page http://gitblit.com/setup_authentication.html

that 

Windows authentication is based on the use of Waffle and JNA. It is known to work properly for authenticating against the local Windows machine, but it is unclear if it works properly with a domain controller and Active Directory.

Has anybody been successful in setting up gitblit using windows authentication? If yes; then how. If no; then when can we have active directory support. Hoping to hear from you folks.
Thanks !

Sascha Vogt

unread,
Oct 30, 2013, 5:02:22 AM10/30/13
to git...@googlegroups.com
Hi Deepankar,

Am 30.10.2013 07:49, schrieb Deepankar Dhoundiyal:
> [...]
> http://gitblit.com/setup_authentication.html
> [...]
> Has anybody been successful in setting up gitblit using windows
> authentication? If yes; then how. If no; then when can we have active
> directory support. Hoping to hear from you folks.

Yes, we have Gitblit running against our AD with the following settings
in the gitblit.properties:

realm.ldap.server = ldap://<our-domain>.de
realm.ldap.username = <ldap-user for querying>
realm.ldap.password = <aboves users pw>
realm.ldap.accountBase = DC=<our-domain>,DC=de
realm.ldap.groupBase = OU=Gruppen,OU=<our-domain>,DC=de
realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
realm.ldap.displayName = displayName
realm.ldap.email = mail

That's it (LDAP related)

HTH,
Greetings
-Sascha-

Gavin Williams

unread,
Sep 11, 2014, 11:47:21 AM9/11/14
to git...@googlegroups.com
Sascha

Are you able to confirm the format you used for 'realm.ldap.username'?

As I keep getting 'Invalid credential's when trying to login using AD Auth.

Cheers
Gavin

Sascha Vogt

unread,
Sep 15, 2014, 3:35:21 AM9/15/14
to git...@googlegroups.com
Hi Gavin,

we have the user name there just like you use it when you use windows to
log into that account.

So it's just the short login name (I think it's the sAMAccountName of
the user, able to read the tree).

HTH
-Sascha-

Am 11.09.2014 um 17:47 schrieb Gavin Williams:
> Are you able to confirm the format you used for 'realm.ldap.username'?
>
> As I keep getting 'Invalid credential's when trying to login using AD Auth.
>

Gavin Williams

unread,
Sep 15, 2014, 4:30:26 AM9/15/14
to git...@googlegroups.com
Cheers for getting back to me...

Managed to work out the cause after a bit of debugging... I had double quotes (") around the realm.ldap.accountBase config value. This was then resulting in 'Invalid DN syntax' errors.

Cheers
Gavin

Dan Jung

unread,
Oct 10, 2014, 5:31:05 PM10/10/14
to git...@googlegroups.com
I was able to use AD authentication just by setting authentication provider to windows.
realm.authenticationProviders = windows

Lyubomir Lyubenov

unread,
Oct 19, 2016, 4:27:10 AM10/19/16
to gitblit
Hi to all,

I was able to use AD authentication just by setting authentication provider to windows.
realm.authenticationProviders = windows

But I have some questions:

Is there way to restrict users to some group from AD, do I need to use ldap
How to restrict user to not be promoted as ADMIN on first login.
When I logon with "username" and "domain\username" Gitblit creates two diffrent users

James Moger

unread,
Oct 19, 2016, 8:00:09 AM10/19/16
to git...@googlegroups.com
I am hoping that setting realm.windows.permitBuiltInAdministrators = false will disable the admin permission promotion.

Creating two different user accounts is a problem.  Have you tried configuring realm.windows.defaultDomain ?  If you are authenticating users against multiple domains then we'll still run into trouble.  If all your users are in a single domain (crossing fingers), then I think configuring this will help.

-J

--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+unsubscribe@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

Lyubomir Lyubenov

unread,
Oct 20, 2016, 2:11:47 AM10/20/16
to gitblit
Hi James,

This do not work for me, I have setup :

realm.authenticationProviders = windows
realm.windows.defaultDomain = prcb
realm.windows.permitBuiltInAdministrators = false

But it creates two new users when logon with lyubomirl and prcb\lyubomirl again with admin role

[user "lyubomirl"]
password = "#externalAccount"
cookie = 94896778917f7c2d4c63a216a3f029c877c5540f
displayName = lyubomirl
accountType = WINDOWS
emailMeOnMyTicketChanges = true
role = "#admin"
[user "prcb\\lyubomirl"]
password = "#externalAccount"
cookie = 21e717c97833a7564d95ea8016b2be4ba56c2657
displayName = lyubomirl
accountType = WINDOWS
emailMeOnMyTicketChanges = true
role = "#admin"

before this I have setup domain as domain.com but result was again same
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.

James Moger

unread,
Oct 20, 2016, 9:12:37 AM10/20/16
to git...@googlegroups.com
Then this is a bug and you are stuck until a fix is implemented & released.

-J


To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+unsubscribe@googlegroups.com.

Lyubomir Lyubenov

unread,
Oct 20, 2016, 9:48:02 AM10/20/16
to gitblit
Ok,

But in meanwhile I'm trying to use ldap and I receive strange error:

Flowing are my settings:

realm.authenticationProviders = ldap
realm.ldap.server = ldap://dc.domain.com:389
realm.ldap.maintainTeams = false
realm.ldap.accountBase = DC=domain,DC=com
realm.ldap.accountPattern = (&(objectClass=user)(sAMAccountName=${username}))

and I reccive ... :

2016-10-20 16:30:52 [WARN ] Failed login attempt for nnnnnnnnn, invalid credentials from 0:0:0:0:0:0:0:1
2016-10-20 16:31:02 [ERROR] Error Connecting to LDAP
LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server localhost:389:  java.io.IOException: An error occurred while attempting to establish a connection to server localhost/127.0.0.1:389:  java.net.ConnectException: Connection refused: connect')
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:869)
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:759)
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:709)
at com.gitblit.auth.LdapAuthProvider.getLdapConnection(LdapAuthProvider.java:210)
at com.gitblit.auth.LdapAuthProvider.authenticate(LdapAuthProvider.java:324)
at com.gitblit.manager.AuthenticationManager.authenticate(AuthenticationManager.java:495)
at com.gitblit.wicket.pages.RootPage$LoginForm$1.onSubmit(RootPage.java:574)
at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1595)
at org.apache.wicket.markup.html.form.Form.process(Form.java:960)
at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:922)
        ...

for what reason it can't read right settings and try to connect localhost/127.0.0.1:389

James Moger

unread,
Oct 20, 2016, 10:09:45 AM10/20/16
to git...@googlegroups.com
This problem may be the same as the other problem: your custom settings are not being applied.

The beginning of the log file will have lots of useful info concerning startup values and applied config files.

To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+unsubscribe@googlegroups.com.

Lyubomir Lyubenov

unread,
Oct 20, 2016, 10:27:20 AM10/20/16
to gitblit
Yes, I see it, but noting strange I can't found,
I'm on Win2012r2 last jdk7

2016-10-20 17:22:10 Commons Daemon procrun stdout initialized
2016-10-20 17:22:11 [INFO ] 
  _____  _  _    _      _  _  _
 |  __ \(_)| |  | |    | |(_)| |
 | |  \/ _ | |_ | |__  | | _ | |_
 | | __ | || __|| '_ \ | || || __|  http://gitblit.com
 | |_\ \| || |_ | |_) || || || |_   @gitblit
  \____/|_| \__||_.__/ |_||_| \__|  1.8.0

2016-10-20 17:22:11 [INFO ] Running on Windows Server 2012 (6.2)
2016-10-20 17:22:11 [INFO ] Logging initialized @812ms
2016-10-20 17:22:11 [INFO ] Using JCE Unlimited Strength Jurisdiction Policy files
2016-10-20 17:22:11 [INFO ] Setting up HTTPS transport on port 8443
2016-10-20 17:22:11 [INFO ]    certificate alias = localhost
2016-10-20 17:22:11 [INFO ]    keyStorePath   = E:\gitblit\data\serverKeyStore.jks
2016-10-20 17:22:11 [INFO ]    trustStorePath = E:\gitblit\data\serverTrustStore.jks
2016-10-20 17:22:11 [INFO ]    crlPath        = E:\gitblit\data\certs\caRevocationList.crl
2016-10-20 17:22:11 [INFO ] Shutdown Monitor listening on port 8444
2016-10-20 17:22:11 [INFO ] jetty-9.2.13.v20150730
2016-10-20 17:22:32 [INFO ] NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
2016-10-20 17:22:32 [INFO ] 
2016-10-20 17:22:32 [INFO ] ----[com.gitblit.manager.IRuntimeManager]----
2016-10-20 17:22:32 [INFO ] Basefolder  : E:\gitblit\data
2016-10-20 17:22:32 [INFO ] Settings    : E:\gitblit\data\gitblit.properties
2016-10-20 17:22:32 [INFO ] JVM timezone: Europe/Helsinki (EEST +0300)
2016-10-20 17:22:32 [INFO ] App timezone: Europe/Helsinki (EEST +0300)
2016-10-20 17:22:32 [INFO ] JVM locale  : en_US
2016-10-20 17:22:32 [INFO ] App locale  : <client>
2016-10-20 17:22:32 [INFO ] 
2016-10-20 17:22:32 [INFO ] ----[com.gitblit.manager.INotificationManager]----
2016-10-20 17:22:32 [WARN ] Mail service disabled.
2016-10-20 17:22:32 [INFO ] 
2016-10-20 17:22:32 [INFO ] ----[com.gitblit.manager.IUserManager]----
2016-10-20 17:22:32 [INFO ] ConfigUserService(E:\gitblit\data\users.conf)
2016-10-20 17:22:32 [INFO ] 
2016-10-20 17:22:32 [INFO ] ----[com.gitblit.manager.IAuthenticationManager]----
2016-10-20 17:22:32 [INFO ] setting up com.gitblit.auth.LdapAuthProvider
2016-10-20 17:22:33 [INFO ] Ldap sync service is disabled.
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.transport.ssh.IPublicKeyManager]----
2016-10-20 17:22:33 [INFO ] FileKeyManager (E:\gitblit\data\ssh)
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IRepositoryManager]----
2016-10-20 17:22:33 [INFO ] Repositories folder : E:\gitblit\data\git
2016-10-20 17:22:33 [INFO ] Identifying repositories...
2016-10-20 17:22:33 [INFO ] 0 repositories identified with calculated folder sizes in 31 msecs
2016-10-20 17:22:33 [INFO ] Lucene will process indexed branches every 2 minutes.
2016-10-20 17:22:33 [INFO ] Garbage Collector (GC) is disabled.
2016-10-20 17:22:33 [INFO ] Mirror service is disabled.
2016-10-20 17:22:33 [INFO ] Alias 'UTF8', UTF-9 & UTF-18 encodings as UTF-8 in JGit
2016-10-20 17:22:33 [INFO ] Preparing 14 day commit cache. please wait...
2016-10-20 17:22:33 [INFO ] 0 repositories identified with calculated folder sizes in 0 msecs
2016-10-20 17:22:33 [INFO ] built 14 day commit cache of 0 commits across 0 repositories in 3 msecs
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IProjectManager]----
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IFederationManager]----
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.tickets.ITicketService]----
2016-10-20 17:22:33 [INFO ] NullTicketService started
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IGitblit]----
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IServicesManager]----
2016-10-20 17:22:33 [INFO ] Federation passphrase is blank! This server can not be PULLED from.
2016-10-20 17:22:33 [INFO ] Fanout PubSub service is disabled.
2016-10-20 17:22:33 [INFO ] Git Daemon is listening on 0.0.0.0:9418
2016-10-20 17:22:33 [INFO ] SSH Daemon (NIO2) is listening on 0.0.0.0:29418
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IFilestoreManager]----
2016-10-20 17:22:33 [INFO ] No filestore metadata file found
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] ----[com.gitblit.manager.IPluginManager]----
2016-10-20 17:22:33 [INFO ] PF4J version 1.8.0 in 'deployment' mode
2016-10-20 17:22:33 [INFO ] Enabled plugins: []
2016-10-20 17:22:33 [INFO ] Disabled plugins: []
2016-10-20 17:22:33 [INFO ] No plugins
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:33 [INFO ] All managers started.
2016-10-20 17:22:33 [INFO ] 
2016-10-20 17:22:34 [INFO ] [GitBlitWebApp] init: Wicket core library initializer
2016-10-20 17:22:34 [INFO ] [GitBlitWebApp] init: Wicket extensions initializer
2016-10-20 17:22:34 [INFO ] [GitBlitWebApp] Started Wicket version 1.4.22 in deployment mode
2016-10-20 17:22:34 [INFO ] Started o.e.j.w.WebAppContext@4772e1c3{/,file:/E:/gitblit/data/temp/webapp/,AVAILABLE}{file:/E:/gitblit/gitblit.jar}
2016-10-20 17:22:34 [INFO ] Started ServerConnector@6d264f8b{SSL-HTTP/1.1}{0.0.0.0:8443}
2016-10-20 17:22:34 [INFO ] Started @24020ms
2016-10-20 17:22:37 [INFO ] Loading properties files from jar:file:/E:/gitblit/gitblit.jar!/com/gitblit/wicket/GitBlitWebApp.properties

Lyubomir Lyubenov

unread,
Oct 26, 2016, 4:30:32 AM10/26/16
to gitblit
I manage to work this,
I move the settings to gitblit.properties, before this I wrote settings in defaults.properties
Reply all
Reply to author
Forward
0 new messages