How to setup Git http authentication using LDAP in Apache

by jagbir on April 18, 2012

In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication using LDAP so that authentication become more seamless and avoid any sort of manual work for managing access when you have LDAP for authenticating users.

Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:

$ httpd -M 
 ldap_module (shared)
 authnz_ldap_module (shared)

If this is not the case, then please install these modules and make sure you load them in your Apache config (usually /etc/httpd/conf/httpd.conf) like this:

LoadModule ldap_module modules/
LoadModule authnz_ldap_module modules/

After having these modules to facilitate authentication, we need to remove or comment out following lines in our git config file /etc/httpd/conf.d/git.conf:

<Location />
    AuthType Basic
    AuthName "Private Git Access"
    Require valid-user
    AuthUserFile /var/www/gitweb/passfile

After removing or commenting out above lines, put these lines in the file:

<Location "/">
    AuthType Basic
    AuthName "Git Authentication"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldap://<my ad server>:389/ou=xx,dc=xx,dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)"
    AuthLDAPBindDN <user>@<mydomain>
    AuthLDAPBindPassword <user password>
    Require valid-user

Here make sure to supply correct LDAP url and provide info of one user and its password so that Apache can contact LDAP to retrieve authentication information. You also needs to update gitolite.conf to manage authorization for git repositories for LDAP user.

Reload Apache to apply new settings and you should be able to access Git repository over http using LDAP user.

Common issues:
If authentication not working, put “Loglevel Debug” option in your Apache VirtualHost and check Apache error logs. In case you notice following error:

[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(454): [client xx.xx.xx.xx] [25749] auth_ldap authenticate: accepting
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(821): [client xx.xx.xx.xx] [25749] auth_ldap authorise: declining to authorise

Then make sure AuthzLDAPAuthoritative off entry is there in Apache git config file, I have already mentioned it above just in case if you missed it.

In case you notice “[User Not Found]” in error log, then check your user name again and make sure the user exist in correct OU/group specified in ldap url.

Related articles:
* Quickly setup Git server with gitolite, gitweb, ssh and http auth
* Configure password based subversion access via http
* Download, install and configure ViewVC for Subversion

Previous post:

Next post: