In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication using LDAP so that authentication become more seamless and avoid any sort of manual work for managing access when you have LDAP for authenticating users.
Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:
$ httpd -M .. ldap_module (shared) authnz_ldap_module (shared) ..
If this is not the case, then please install these modules and make sure you load them in your Apache config (usually /etc/httpd/conf/httpd.conf) like this:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
After having these modules to facilitate authentication, we need to remove or comment out following lines in our git config file /etc/httpd/conf.d/git.conf:
<Location /> AuthType Basic AuthName "Private Git Access" Require valid-user AuthUserFile /var/www/gitweb/passfile </Location>
After removing or commenting out above lines, put these lines in the file:
<Location "/"> AuthType Basic AuthName "Git Authentication" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://<my ad server>:389/ou=xx,dc=xx,dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)" AuthLDAPBindDN <user>@<mydomain> AuthLDAPBindPassword <user password> Require valid-user </Location>
Here make sure to supply correct LDAP url and provide info of one user and its password so that Apache can contact LDAP to retrieve authentication information. You also needs to update gitolite.conf to manage authorization for git repositories for LDAP user.
Reload Apache to apply new settings and you should be able to access Git repository over http using LDAP user.
If authentication not working, put “Loglevel Debug” option in your Apache VirtualHost and check Apache error logs. In case you notice following error:
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(454): [client xx.xx.xx.xx]  auth_ldap authenticate: accepting user.name [Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(821): [client xx.xx.xx.xx]  auth_ldap authorise: declining to authorise
Then make sure AuthzLDAPAuthoritative off entry is there in Apache git config file, I have already mentioned it above just in case if you missed it.
In case you notice “[User Not Found]” in error log, then check your user name again and make sure the user exist in correct OU/group specified in ldap url.