Ldap auth for my cgit project
I have previous written about my cgit solution for my network. With my recent work on my calendar solution, I bothered to get around to adding basic authentication with ldap backend.
So, I also modified my cgit/git solution to use ldap auth.
My apache configs are now separated into even more included files!
File /etc/httpd/conf.d/cgit.conf
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
RedirectMatch ^/cgit$ /git/
<Directory "/usr/share/cgit/">
AllowOverride None
Require all granted
</Directory>
File /etc/httpd/conf.d/main.conf
SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
SetEnv GITWEB_CONFIG /etc/gitweb.conf
# This file will not work when it is in /usr/sbin.
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend-internal/
<Directory "/usr/libexec/git-core*">
Options +ExecCGI +Indexes
Order allow,deny
Allow from all
Require all granted
</Directory>
# a2enmod macro
<Macro Project $repository $rwstring $rostring>
<LocationMatch "^/git/$repository.*$">
AuthName "Git Access"
Include conf.d/auth.cnf
#AuthUserFile /etc/git_access
Require $rwstring
Require $rostring
</LocationMatch>
<LocationMatch "^/git/$repository/git-receive-pack$">
AuthName "Git Access"
Include conf.d/auth.cnf
#AuthUserFile /etc/git_access
Require $rwstring
</LocationMatch>
</Macro>
# Protect everything under git directory...
<Directory "/var/www/git">
Require all denied
</Directory>
# ...Unless given permissions in this file.
Include /etc/git_access.conf
# https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/
# depends on confs-enabled/cgit.conf
<Directory "/usr/share/cgit/">
SetEnv CGIT_CONFIG /etc/cgitrc
SetEnv GIT_URL cgit
AllowOverride all
Options +ExecCGI +FollowSymLinks +Indexes
DirectoryIndex cgit.cgi
AddHandler cgi-script .cgi
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) /cgit/cgit.cgi/$1 [END,QSA]
</Directory>
And now, I load /etc/httpd/conf.d/auth.cnf which is my common authentication rules.
# File: /etc/httpd/conf.d/auth.cnf
# Startdate: 2022-05-22 14:32
# Usage: included by main config file in a few places
AuthType Basic
Order deny,allow
Deny from all
Satisfy any
AuthBasicProvider ldap
AuthLDAPGroupAttribute member
AuthLDAPSubGroupClass group
# If anonymous search is disabled, provide dn and pw.
#AuthLDAPBindDN uid=service-account,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
#AuthLDAPBindPassword mypw
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL "ldaps://dns1.ipa.internal.com:636 dns2.ipa.internal.com:636/cn=users,cn=accounts,dc=ipa,dc=internal,dc=com?uid,memberof,gecos?sub?(objectClass=person)"
#?sub?(objectClass=*)
# My radical set up uses HTTP_X_REMOTE_USER as username for authentication
RequestHeader set X_REMOTE_USER "%{AUTHENTICATE_uid}e"
# This does not populate correctly. Probably my group attribute settings are wrong?
RequestHeader set X_GROUPS "%{AUTHENTICATE_memberOf}e"
# This populates correctly
RequestHeader set X_GECOS "%{AUTHENTICATE_gecos}e"
And of course, /etc/git_access.conf
# File /etc/git_access.conf
# Part of cgit solution for Internal network, 2021-04-15
# The last phrase can be "all granted" to allow anybody to read.
# Use httpd "Require" strings for param2, param3. Param2 grants read/write permission, Param3 is read-only.
#Use Project dirname "user alice bob charlie" "all granted"
#Use Project dirname "user charlie" "user bob alice"
Use Project 7w "user bgstack15" "all granted"
Use Project "chicago95-packaging/chicago95-packages" "user bgstack15" "all granted"
Use Project "el7-gnupg2-debmirror/libassuan" "user bgstack15" "all granted"
I tried making it so I could use globs or regular expressions in the values in this git_access.conf file, but I couldn't figure that out. So instead of chicago95-packaging/* I had to stick to naming every directory underneath that.
So, nothing groundbreaking today.
Comments