Can gerrit server use LDAP and HTTP authentication concurrently?
1,293 views
Skip to first unread message
Bertram Karch
Mar 18, 2014, 11:15:01 AM3/18/14
to repo-d...@googlegroups.com
Hi,
we have setup gerrit 2.6 with LDAP authentication against an active directory server in our intranet.
Can I also use HTTP/HTTPS to access the repositories?
We want to give external developers access over internet to the gerrit server, so we plan to install a apache webserver as proxy for gerrit server
and use http authentication (and/or client certificates).
Is this possible?
Is this possible on the same gerrit instance at the same time or do we need a seperate gerrit instance?
How about client certificates, can we configure an apache webserver for client certificates and how can we configure gerrit to work with this setup?
Thanks
Bertram Karch
Mar 30, 2014, 6:19:32 AM3/30/14
to repo-d...@googlegroups.com
we now plan to setup a second gerrit server with auth.type CLIENT_SSL_CERT_LDAP which should be reachable for external users with HTTPS access.
I hope the scenario could work as follows:
A. using Gerrit UI:
- user signs in in browser with client certificate
- gerrit checks client certificate and authenticates against our active directory server (user enters his LDAP user and password)
B. clone/pull/push:
- external user uses git --config to configure his client certificate
- external user uses git clone https://gerritserver/repo to clone the gerrit project
C. repo sync:
- we can use ssh to pull new commits from external gerrit projects and push to internal gerrit projects
Could this be a functioning setup or do I have to expect any problems?
Luca Milanesio
Mar 30, 2014, 1:03:25 PM3/30/14
to Bertram Karch, repo-d...@googlegroups.com
Hi Bertram,
my suggestion is however to upgrade to Gerrit 2.8: should you have any problem the Gerrit community would be able to help you and provide fixes.
With regards to authentication, are you going to always use then X.509 Client Certificate authentication ?
(including Git access ?)
Another warning, do not use Apache reverse proxy for HTTPS termination: you do need the SSL connection to terminate on Gerrit JVM process in order to access the client certificate.
Last point: you may assess the possibility to use gitBasicAuth=true on the [auth] section in order to use the LDAP password over the Git / HTTPS channel.
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bertram Karch
Apr 3, 2014, 4:52:41 PM4/3/14
to repo-d...@googlegroups.com, Bertram Karch
Hi Luca,
on our internal gerrit server we use gerrit 2.6, but for the new server I plan to use gerrit 2.9, is that ok?
Question to last point:
Do I understand right, if I set gitBasicAuth on auth section, then I can use git clone https://myserver/myrepo with my LDAP userid and password
or do I have to set an additional HTTPS password in my settings?
Regards,
Bertram
Luca Milanesio
Apr 3, 2014, 6:44:43 PM4/3/14
to Bertram Karch, repo-discuss
Hi Bertram,
2.9 is fine, it is not final yet but it is stable.
When you use gitBasicAuth you do not need to setup any additional password: LDAP credentials are used for both Web and Git commands.
For more information you can access Gerrit Documentation at:
or read the "Learning Gerrit Code Review":
Luca.
Reply all
Reply to author
Forward
0 new messages