Re: CentOS 6.2 - Multiple project git repository with gitolite, gitweb, apache and ldap authentication

[SyF]

Any idea?

Le samedi 13 octobre 2012 00:46:01 UTC+2, SyF a écrit :

Dears,

I've been looking for information all over the web to configure a multiple project git repository with gitolite, gitweb (read/write restriction based on gitolite conf and ldap user), apache and ldap authentication on a CentOS 6.2, but after hours trying to set it up, I just decided to send a mail here as that's what I've been told on IRC...

So the last state of my installation is as below:

• I created git:apache user with its home set to /home/git which contains:

/home/git/.gitolite.rc only contains 2 lines: $REPO_UMASK = 0022;$GL_GITCONFIG_KEYS = "gitweb.url receive.denyNonFastforwards receive.denyDeletes";

/home/git/gitolite gitolite srcs

/home/git/repositories/testing.git gitolite auto-generated testing repo

/home/git/repositories/gitolite-admin.git gitolite auto-generated admin repo

• gitweb installed using yum:

/var/www/git/gitweb.cgi

/etc/gitweb.conf: basic configuration and I modified this:

our $projectroot = "/home/git/repositories";

I'm wondering if I should use $export_auth_hook as there: http://stackoverflow.com/questions/9777459/how-to-get-gitolite-gitweb-working-together

• git-daemon installed using yum

• httpd (all apache necessary modules are loaded) git.conf at /etc/httpd/conf.d/git.conf:

SetEnv GIT_PROJECT_ROOT /home/git/repositories

SetEnv GIT_HTTP_EXPORT_ALL

ScriptAliasMatch \

       "(?x)^/git/(.*/(HEAD | \

       info/refs | \

       objects/(info/[^/]+ | \

[0-9a-f]{2}/[0-9a-f]{38} | \

pack/pack-[0-9a-f]{40}\.(pack|idx)) | \

       git-(upload|receive)-pack))$" \

       /usr/libexec/git-core/git-http-backend/$1

ScriptAlias /git/ /var/www/git/gitweb.cgi

<Location /git/>

AuthBasicProvider ldap

AuthzLDAPAuthoritative off

AuthType Basic

AuthName "Git Repositories"

AuthLDAPURL "ldap://127.0.0.1:389/ou=Users,dc=example,dc=com" TLS

Satisfy Any

Require valid-user

</Location>

I tryed a lot of different configuration but without any success so far, for instance:

http://loutilities.wordpress.com/2011/08/12/setting-up-git-with-apache-smart-https-and-ldap/

http://linuxadminzone.com/how-to-setup-git-http-authentication-using-ldap-in-apache/

I got the one displayed above from man git-http-backend as notified in gitolite doc.

The result of all this is that:

• giteweb is displayed at http://localhost/git/ but pictures/styles are not loaded and it doesn't ask for ldap authentication
• I don't think gitolite is used at the moment, so I'm wondering what I should add and where
• LDAP is configured the same way for my subversion repository and it works fine, but not in git case

Any help would be very appreciated as I don't really know what to do here....

Thanks in advance!

[Thomas Hager]

Quoting SyF <julien.b...@gmail.com>:
> Dears,
hi,

> I've been looking for information all over the web to configure a multiple
> project git repository with gitolite, gitweb (read/write restriction based
> on gitolite conf and ldap user), apache and ldap authentication on a CentOS
> 6.2, but after hours trying to set it up, I just decided to send a mail
> here as that's what I've been told on IRC...

well, that's basically what we have runnning here. we're hosting the
repositories on solaris, that shouldn't make a difference though.

> So the last state of my installation is as below:
>

> - I created git:apache user with its home set to /home/git which
> contains:
>
> /home/git/.gitolite.rc *only contains 2 lines: $REPO_UMASK =

> 0022;$GL_GITCONFIG_KEYS = "gitweb.url receive.denyNonFastforwards

> receive.denyDeletes";*
> /home/git/gitolite *gitolite srcs*
> /home/git/repositories/testing.git *gitolite auto-generated testing repo*
> /home/git/repositories/gitolite-admin.git *gitolite auto-generated admin
> repo*
that looks reasonable, but the gitolite.rc doesn't seem to be correct.
which version of gitolte are you running? this doesn't look like v3
syntax.

> - gitweb installed using yum:
>
> /var/www/git/gitweb.cgi
> /etc/gitweb.conf: *basic configuration and I modified this:*

> our $projectroot = "/home/git/repositories";
>
> I'm wondering if I should use $export_auth_hook as there:
> http://stackoverflow.com/questions/9777459/how-to-get-gitolite-gitweb-working-together

yes, you have to if you want to integrate gitweb with gitolite. again
the question is which version of gitolite you're using, because the
syntax varies.

> - git-daemon installed using yum
you don't need git daemon, unless you want to serve repositories via
the native git protocol.

> - httpd (all apache necessary modules are loaded) git.conf at
> /etc/httpd/conf.d/git.conf:
[...]
well, i use a different approach, because i don't like this overly
complex ScriptAlias match ;-)

i use suexec to run gitweb and gitolite, because my apache uses a
different user than the one git's running at.
my apache's documentroot is gitweb, and /git/ is matched to a wrapper,
which calls gitolite (some of it is documented in
http://sitaramc.github.com/gitolite/ssh-and-http.html):

<VirtualHost *:443>
DocumentRoot /var/www/htdocs/gitweb
<Directory /var/www/htdocs/gitweb>
Options ExecCGI
AllowOverride none
Order allow,deny
Allow from all
</Directory>
DirectoryIndex gitweb.cgi

SuexecUserGroup git git
ScriptAlias /git/ /var/www/htdocs/bin/gitolite-suexec-wrapper.sh/

<Location />
AuthType Basic
AuthName "Git Access"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://..."
Require valid-user
</Location>
</VirtualHost>

> - giteweb is displayed at http://localhost/git/ but pictures/styles are

> not loaded and it doesn't ask for ldap authentication

check apache's error log, probably gitweb is searching in the wrong
directories. you can define the location of these files via your
gitweb.conf as well.
and apache is not requesting authentication because of "Satisfy Any".
if the user passed host based authentication (i assume allow from
all), the ldap based authentication is no longer required.

> - I don't think gitolite is used at the moment, so I'm wondering what I
> should add and where
definitely not, no. you have to use the export_auth_hook. i can help
you there, if you're using gitolite v3 ;-)

> Any help would be very appreciated as I don't really know what to do
> here....

well, i hope i was able to highlight some issues :-)

i walked your path once and everything is up and running now.

- https://repo/ asks for authentication and runs gitweb. it only
displays the repositories the user has access to (as defined by
gitolite)
- https://repo/git/... is used for pulling/pushing via "git
clone|pull|push https://repo/git/...". apache is authenticating the
user via our LDAP directory, and gitolite decides whether access is
granted or not.

hth,
tom.

--
Thomas "Duke" Hager du...@sigsegv.at
GPG: 2048R/791C5EB1 http://www.sigsegv.at/gpg/duke.gpg
=================================================================
"Never Underestimate the Power of Stupid People in Large Groups."

[SyF]

Hello,

First of all thanks for the help and sorry for the delay, I was on a business trip for 4 days...

My gitolite version looks to be 3.1 so it should be ok?

I changed apache configuration as you suggested and it asks for ldap authentication so it's a great progress as Suexec is also workingI 

In fact, I think that the only thing left is export_auth_hook so gitweb can use gitolite, so I would be very interested in seeing yours!

Thanks in advance!

[SyF]

Hello,

In fact I managed configuring gitweb.conf using this: 

https://groups.google.com/forum/?hl=en-GB&fromgroups=#!searchin/gitolite/WARNING:$20Use$20of$20uninitialized$20value$20$24repo$20in$20concatenation/gitolite/ehbGOoaHuQc/lwIJUHHzL9YJ

Gitweb is working fine now, but I'm facing issues to push via git ssh (git clone git@localhost:repositories/gitolite-admin.git:

~/git/gitolite-admin> git push

git@localhost's password:

Permission denied, please try again.

git@localhost's password:

Counting objects: 7, done.

Delta compression using up to 2 threads.

Compressing objects: 100% (2/2), done.

Writing objects: 100% (4/4), 363 bytes, done.

Total 4 (delta 0), reused 0 (delta 0)

remote: Empty compile time value given to use lib at hooks/update line 6

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base2 in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value in hash slice at /usr/share/perl5/vendor_perl/Gitolite/Common.pm line 176, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base2 in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value in hash slice at /usr/share/perl5/vendor_perl/Gitolite/Common.pm line 176, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 180, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base2 in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $base in string eq at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 396, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value in hash slice at /usr/share/perl5/vendor_perl/Gitolite/Common.pm line 176, <DATA> line 1.

remote:

remote: WARNING: Use of uninitialized value $repo in concatenation (.) or string at /usr/share/perl5/vendor_perl/Gitolite/Conf/Load.pm line 70, <DATA> line 1.

remote:

remote: FATAL: invalid repo ''

remote: error: hook declined to update refs/heads/master

To git@localhost:repositories/gitolite-admin.git

 ! [remote rejected] master -> master (hook declined)

error: failed to push some refs to 'git@localhost:repositories/gitolite-admin.git'

I also tryed to clone via http using my admin user:

~/git/gitolite-admin> git clone http://root@localhost/git/gitolite-admin.git

Initialized empty Git repository in /root/git/gitolite-admin/gitolite-admin/.git/

Password:

fatal: http://root@localhost/git/gitolite-admin.git/info/refs not found: did you run git update-server-info on the server?

I ran this command and checked /home/git/repositories/gitolite-admin.git/info/refs and it does exists so I'm a bit confused. I also tryed changing manually /home/git/.gitolite/conf/gitolite.conf and running gitolite compile, but changes don't seem to be effective...

Thanks in advance!

[SyF]

Any Idea?

[Thomas Hager]

Quoting SyF <julien.b...@gmail.com>:
> Hello,
hi,

> First of all thanks for the help and sorry for the delay, I was on a
> business trip for 4 days...

anytime and nevermind ;-)

> My gitolite version looks to be 3.1 so it should be ok?

nice, i'm still running 3.0x.

> I changed apache configuration as you suggested and it asks for ldap
> authentication so it's a great progress as Suexec is also workingI

excellent.

> In fact, I think that the only thing left is export_auth_hook so gitweb can
> use gitolite, so I would be very interested in seeing yours!

sure, here it is:

--------------------------------------

## Gitweb/Gitolite config

$ENV{GITOLITE_HTTP_HOME}="/opt/git";

$ENV{HOME}="$ENV{GITOLITE_HTTP_HOME}";
$ENV{GIT_PROJECT_ROOT}="$ENV{GITOLITE_HTTP_HOME}/repositories";
$ENV{GL_BINDIR} = "$ENV{GITOLITE_HTTP_HOME}/admin/gitolite/src";
$ENV{GL_LIBDIR} = "$ENV{GITOLITE_HTTP_HOME}/admin/gitolite/src/lib";
$ENV{GL_USER} = $cgi->remote_user || "noauth";
unshift @INC, $ENV{'GL_LIBDIR'};

require Gitolite::Easy;

our $export_auth_hook = sub {
my $repo = shift;

# never show gitolite-admin in gitweb
return if $repo =~ /^.+gitolite-admin.git$/;

return unless $repo =~ s/^\Q$ENV{GIT_PROJECT_ROOT}\E\/?(.+)\.git$/$1/;

return Gitolite::Easy::can_read($repo);
};
our $strict_export = 1;

--------------------------------------

that's the part of my gitweb.cfg, which is dealing with gitolite.
please modify the paths according to your setup.

regards,

[SyF]

Thanks again, I tryed to replace my gitweb hook with yours, but I still have the same problems when trying to clone repositories using apache or ssh :)

[SyF]

No idea ?

[Thomas Hager]

Quoting SyF <julien.b...@gmail.com>:
> No idea ?
no, unfortunately not. and to be honest, i kinda lost track of your
current setup after all the changes you did :)

maybe its a good idea to summarize your current state again, with the
most important config options and the issues you're facing.

bye,

[SyF]

Hi,

Of course it must be a bit confusing, so here's my current setup:

/etc/httpd/conf.d/git.conf

SetEnv GIT_PROJECT_ROOT /var/www/git

SetEnv GIT_HTTP_EXPORT_ALL

Alias /gitweb /var/www/git

<Directory /var/www/git>

         Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch

         AllowOverride none

         AddHandler cgi-script .cgi

         DirectoryIndex gitweb.cgi

         Order         allow,deny

         Allow         from all

</Directory>

SuexecUserGroup git git

ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/

#ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}\.(pack|idx)) | git-(upload|receive)-pack))$" /var/www/bin/gitolite-suexec-wrapper.sh/$1

<LocationMatch "^/git.*>

        AuthType Basic

        AuthName "Git Repositories"

        AuthBasicProvider ldap

        AuthzLDAPAuthoritative off

        AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=example,dc=com" TLS

        Require valid-user

</LocationMatch>

/etc/gitweb.conf (here is what I added to the standard conf file)

$ENV{GITOLITE_HTTP_HOME}="/home/git";

$ENV{HOME}="$ENV{GITOLITE_HTTP_HOME}";

$ENV{GIT_PROJECT_ROOT}="$ENV{GITOLITE_HTTP_HOME}/repositories";

$ENV{GL_BINDIR} = "$ENV{GITOLITE_HTTP_HOME}/gitolite/src";

$ENV{GL_LIBDIR} = "$ENV{GITOLITE_HTTP_HOME}/gitolite/src/lib";

$ENV{GL_USER} = $cgi->remote_user || "noauth";

unshift @INC, $ENV{'GL_LIBDIR'};

require Gitolite::Easy;

our $export_auth_hook = sub {

        my $repo = shift;

        # never show gitolite-admin in gitweb

        return if $repo =~ /^.+gitolite-admin.git$/;

        return unless $repo =~ s/^\Q$ENV{GIT_PROJECT_ROOT}\E\/?(.+)\.git$/$1/;

        return Gitolite::Easy::can_read($repo);

};

our $strict_export = 1;

/home/git/.gitolite.rc

$REPO_BASE = "repositories";

$REPO_UMASK = 0022;

$PROJECTS_LIST = $ENV{HOME} . "/projects.list";

I hope it's enough about my current setup, I'll add more information if needed

I wanted to modify gitolite permissions in gitolite.conf, so I cloned it using ssh but, as notified, I'm facing an issue when I try to push the change: