gitolite on Redhat 6.4 LDAP+SSH Guide

355 views
Skip to first unread message

Benjamin Shtark

unread,
Sep 3, 2013, 2:27:03 PM9/3/13
to gito...@googlegroups.com
Hi Guys,

i am struggling for several weeks now to make gitolite work on redhat 6.4 with LDAP (active directory) and SSH authentication.

nothing works.
biggest problems is that guides on internet all use different configurations, its huge mess..
couldnt find anything that works.

basicly i get to the point when gitolite works over SSH and i can control the gitolite config from administrative user, however nothing i do makes apache work as well..

the errors that i receive from apache access LOG state error 401 or 404..

i am frustrated :)

does anyone have any working config or guide that can shed some light on this??

thank you kindly :D

cheers


Dirk Heinrichs

unread,
Sep 4, 2013, 1:30:23 AM9/4/13
to gito...@googlegroups.com
Am Dienstag 03 September 2013, 11:27:03 schrieb Benjamin Shtark:

> i am struggling for several weeks now to make gitolite work on redhat 6.4
> with LDAP (active directory) and SSH authentication.

Gitolite doesn't need LDAP/AD. It authenticates users by their SSH keys which
you put into the admin repo.

> nothing works.
> biggest problems is that guides on internet all use different
> configurations, its huge mess.. couldnt find anything that works.

Well, just follow the gitolite documentation...

> basicly i get to the point when gitolite works over SSH and i can control
> the gitolite config from administrative user, however nothing i do makes
> apache work as well..
>
> the errors that i receive from apache access LOG state error 401 or 404..

So you have a problem with apache, not with gitolite, right? Two completely
different things. Why do you need Apache, anyway?

Bye...

Dirk
--
Dirk Heinrichs <dirk.he...@altum.de>
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.he...@altum.de
signature.asc

Benjamin Shtark

unread,
Sep 4, 2013, 4:21:17 AM9/4/13
to Dirk Heinrichs, gito...@googlegroups.com
Hi,

basicly the ulitmate idea is as follows:

have one central server with manu git repositories on it - for your company internal developement needs.

users will have options to do `git clone` using either HTTP or SSH protocols.

currently i could implement the first.
that is, anyone can do 'git clone http://user:pass@server/git/repoX.git'  and it works.

to achieve that, i simply craeted git repositories in Apache's wwwroot folder:

/var/www/html/repo1.git
/var/www/html/repo2.git
/var/www/html/repo3.git

for each repoX.git i have created 'virtual site' in /etc/httpd/conf.d/repoX.conf

that 'site' config file has the settings for LDAP (active directory) authentication, that is, only users/groups specified in that file can access the 'site' (the repoX.git) via apache/http.


all of that is very nice, but we lack proper manangement, ability to set 'read-only' permissions on user/group basis and cannot do SSH authentication...


i understand that gitolite allows ssh authentication and also provides nice and very granular permissions management as well as repository management in general (today to make repo we need to run manualy bunch of commands on server + edit apache config files).

so, all i want, is to 'add' the integration of apache with gitolite, and its something i am strugling to do for many weeks  now..

gitolite as SSH only works fine... (on test machine)...





On Wed, Sep 4, 2013 at 3:21 AM, Sitaram Chamarty <sita...@gmail.com> wrote:
Sorry I don't really play that field; hopefully someone on the list will answer.

Quick question though: are you trying to tie LDAP to ssh or to apache/httpd?

On 09/03/2013 11:57 PM, Benjamin Shtark wrote:
> Hi Guys,

>
> i am struggling for several weeks now to make gitolite work on redhat 6.4 with LDAP (active directory) and SSH authentication.
>
> nothing works.
> biggest problems is that guides on internet all use different configurations, its huge mess..
> couldnt find anything that works.
>
> basicly i get to the point when gitolite works over SSH and i can control the gitolite config from administrative user, however nothing i do makes apache work as well..
>
> the errors that i receive from apache access LOG state error 401 or 404..
>
> i am frustrated :)
>
> does anyone have any working config or guide that can shed some light on this??
>
> thank you kindly :D
>
> cheers
>
>

Cunningham, Ronan

unread,
Sep 4, 2013, 5:11:41 AM9/4/13
to Benjamin Shtark, Dirk Heinrichs, gito...@googlegroups.com

I have Gitolite over ssh and https working on the same machine so can try and help but first things first.

You need to clarify first that Gitolite is working before considering http/apache

Forgetting Apache, for the moment, can you confirm that gitolite over ssh is working properly?

I.e

* Assuming the user is 'git', you can clone the repositories 'git clone ssh://git@server/your_repo' ?
* If you add a new ssh key to the gitolite admin repo, the key gets added to $HOME/.ssh/authorised_keys file?
* If you add a new repo section to the gitolite.conf file and push the changes, gitolite creates the new repo for you?
* If gitolite creates the new repo, what is the location of the repo? ( I assume it's not under /var/www/html )

Which version of Gitolite are you using?
Which user owns Gitolite?
Which user does Apache run as?
On Wed, Sep 4, 2013 at 8:30 AM, Dirk Heinrichs <dirk.he...@altum.de<mailto:dirk.he...@altum.de>> wrote:
Am Dienstag 03 September 2013<tel:2013>, 11:27:03 schrieb Benjamin Shtark:

> i am struggling for several weeks now to make gitolite work on redhat 6.4
> with LDAP (active directory) and SSH authentication.

Gitolite doesn't need LDAP/AD. It authenticates users by their SSH keys which
you put into the admin repo.

> nothing works.
> biggest problems is that guides on internet all use different
> configurations, its huge mess.. couldnt find anything that works.

Well, just follow the gitolite documentation...

> basicly i get to the point when gitolite works over SSH and i can control
> the gitolite config from administrative user, however nothing i do makes
> apache work as well..
>
> the errors that i receive from apache access LOG state error 401 or 404..

So you have a problem with apache, not with gitolite, right? Two completely
different things. Why do you need Apache, anyway?

Bye...

Dirk
--
Dirk Heinrichs <dirk.he...@altum.de<mailto:dirk.he...@altum.de>>
Tel: +49 (0)2471 209385<tel:%2B49%20%280%292471%20209385> | Mobil: +49 (0)176 34473913<tel:%2B49%20%280%29176%2034473913>
GPG Public Key C2E467BB | Jabber: dirk.he...@altum.de<mailto:dirk.he...@altum.de>


--
You received this message because you are subscribed to the Google Groups "gitolite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com<mailto:gitolite+u...@googlegroups.com>.
For more options, visit https://groups.google.com/groups/opt_out.

William Muriithi

unread,
Sep 4, 2013, 5:30:56 AM9/4/13
to Benjamin Shtark, gito...@googlegroups.com


> basicly i get to the point when gitolite works over SSH and i can control the gitolite config from administrative user, however nothing i do makes apache work as well..
>
> the errors that i receive from apache access LOG state error 401 or 404..
>

Try putting this file on the repository. I had to have it there to fix the 404 error

git-daemon-export-ok

I do have gitolite working over SSH and https and using free-ipa for authentication.

That being said, as others have said, you may get better assistance by laying down what you have done already in more details

William 

> i am frustrated :)
>
> does anyone have any working config or guide that can shed some light on this??
>
> thank you kindly :D
>
> cheers
>
>

> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com.

Primož Cankar

unread,
Jun 10, 2016, 9:28:37 AM6/10/16
to gitolite, bfl...@gmail.com
Hi William
how did you integrate the authentication for ssh with freeipa? I'm trying to do the same and use gitolite to define to what repos a user can push. I have a freeipa server up and running and the server is connected to it and user authentication works using ssh keys from freeipa.
Regards
Primož

William Muriithi

unread,
Jun 13, 2016, 5:41:16 PM6/13/16
to Primož Cankar, gitolite, Benjamin Shtark

Hi Primoz,


> > > For more options, visit https://groups.google.com/groups/opt_out.
>
> Hi William
> how did you integrate the authentication for ssh with freeipa? I'm trying to do the same and use gitolite to define to what repos a user can push. I have a freeipa server up and running and the server is connected to it and user authentication works using ssh keys from freeipa.
> Regards

This is definitely doable as I did setup two gitolite server on ssh/smart https that authenticate against freeIPA a while back. They are still in use but I left that gig less than a month ago so all information below are from memory.

This is what I remember.

- you need to create groups for each of the repos and push them to gitolite admin repo. Essentially the documented gitolite repo access right stuff.

- Then create the respective groups on freeIPA or active directory - the later if you have trust relationship.
- There is a script somewhere online that take the user name from apache/ssh and check if the user is in a group that's authorized to access the repo in question. It's on freeIPA mailing list so try looking there.
- Enroll the git server to freeIPA - To allow ssh authenticated access from IPA -  and also create a Kerberos keytab for http service. Look for how to configure Apache to use Kerberos for authentication.

This link could provide more information

https://www.redhat.com/archives/freeipa-users/2013-May/msg00237.html

Make sure the authenticated user name don't include kerberos realm extension. This is done by the same apache configuration. I had a lot problem as Apache was passing wmur...@EXAMPLE.LOC to the script instead of wmuriithi. See the bottom of that link above

- I do remember struggling with suexec. 

This isn't too helpful unfortunately like the actual configurations, but hope it help a bit.  

One last thing I would recommend is just to try making each method work exclusively. As in: 

    - get ssh access working with local account and make some notes.  

     -Then, start working with http smart mode and apache basic authentication and get it working

    - Then bring in FreeIPA

I do remember making changes to http smart host that broke ssh and the reverse but don't recall how I resolved it, but if you take above methodology, you will identify the conflict.

I may try doing it again to document the process and share with the group when I get a chance soon, but hope the above with be helpful in the meantime 

William 


> Primož


>
> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gitolite+u...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages