Run gitolite with LDAP backend and SSH + HTTP/S
Run gitolite with LDAP backend and SSH + HTTP/S
The scripts allow to use "git clone git@server:somerepo" syntax with pubkey only, "git clone username@server:somerepo" with pubkey or password via ssh, or "git clone http://server/publicrepo" as user anonymous and "git clone https://server/somerepo" with username and password via http.
There might be several ways to connect gitolite with ldap. This is ours! If you find a way to do it better, send me a patch! I don't show how to configure LDAP. This howto expects that you have some knowledge about ssh/apache2/LDAP.
ALL ALL=(git) NOPASSWD:SETENV: /path/to/gitolite/bin/gitolite-shell
Warning! This is a security problem if the user has access to the system running gitolite (most cases) as he now can execute gitolite-shell pretending to be any user he knows! But there is a workaround. Add gitolite-shell-force-noninteractive.sh to your system and use the following instead:
ALL ALL=(git) NOPASSWD:SETENV: /path/to/gitolite-shell-force-noninteractive.sh
The script will check if the user is on a tty and then disallows the access of the gitolite shell. If you use this approach be sure to change the path to gitolite-shell-force-noninteractive.sh in the http and ssh wrapper scripts instead of the PATH to gitolite shell.
If you have a better solution to this problem, let me know!
AuthorizedKeysCommand /path/to/script/ldap_authorized_keys.sh
AuthorizedKeysCommandUser nobody
PermitUserEnvironment yes
ForceCommand /path/to/gitolite_ssh_wrapper_script.sh
<VirtualHost your.domain:80>
ScriptAlias / /path/to/gitolite_http_wrapper_script/
<Location />
Allow from all
</Location>
</VirtualHost>
<VirtualHost your.domain:443>
SSLEngine On
SSLCertificateFile "etc/apache2/server.crt"
SSLCertificateKeyFile "/etc/apache2/server.key"
ScriptAlias / /path/to/gitolite_http_wrapper_script/
<Location />
Options FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=example?uid?sub
AuthLDAPBindAuthoritative Off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthName "LDAP Login"
#require ldap-group cn=core-admin,ou=groups,dc=example
require valid-user
</Location>
</VirtualHost>