Bravery Family

Configuring GIT

First up, I found most of my information on this here:

Seth Robertson – Git On The Web

The one thing that I didn’t realise initially is that you can’t use the gitweb URL to do clones etc.
I spent ages trying to do this, until I found Seth’s page. It explains things in a very structured manner that can be applied to most situations I suspect.

The only other thing I think I should point out is related to rewrites. If you are using them in an Apache configuration section that is higher than site that everything will be accessed from you need to remember to set the following, otherwise they will be ignored:

        RewriteEngine On
        RewriteOptions Inherit

So, in my case, I am accessing git via a VirtualHost that I have. The virtual host needed these lines adding to it otherwise the rewrite configuration in conf.d/gitweb didn’t get picked up.

To enable LDAP, I also had to do this:

        sudo a2enmod authnz_ldap
        sudo a2enmod cgi
        sudo service apache restart

In the end, to have a Git Repository​ authenticating with LDAP (with Group) authenticating, with GitWeb, some aliases, source IP restrictions and some rewrites to a gitweb file that looks like this:

Alias /<gitweb alias> /usr/share/gitweb
Alias /<shortened gitweb alias> /usr/share/gitweb

RewriteEngine On
RewriteRule ^/<shortened gitweb alias>/([^/]+)$ /g/?p=$1 [R,NE]
RewriteRule ^/<shortened gitweb alias>//([^/]+)/([0-9a-f]+)$ /<shortened gitweb alias>/?p=$1/.git;a=commitdiff;h=$2 [R,NE]
RewriteRule ^/<shortened gitweb alias>/([^/]+)/([0-9a-f]+)$ /<shortened gitweb alias>/?p=$1;a=commitdiff;h=$2 [R,NE]

<Directory /usr/share/gitweb>
  Options FollowSymLinks +ExecCGI
  AllowOverride all
  AddHandler cgi-script .cgi
  Order deny,allow
  Deny from all
  Allow from <restricting IP addresses>
  SSLRequireSSL
  AuthType basic
  AuthName "Private git repository"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<ldap server>:<port>/<LDAP User DN>?<LDAP User ID>?sub?(objectClass=*)"
  Require valid-user
  AuthLDAPGroupAttribute memberUid
  AUthLDAPGroupAttributeIsDn off
  Require ldap-group <LDAP Group DN>
</Directory>

ScriptAlias /<shortened git alias>/ /usr/lib/git-core/git-http-backend/
<Directory "/usr/lib/git-core/">
  Options +ExecCGI
  SetEnv GIT_PROJECT_ROOT <path to projects>
  SetEnv GIT_HTTP_EXPORT_ALL
  Order deny,allow
  Deny from all
  Allow from <restricting IP addresses>
  SSLRequireSSL
  AuthType basic
  AuthName "Private git repository"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<ldap server>:<port>/<LDAP User DN>?<LDAP User ID>?sub?(objectClass=*)"
  Require valid-user
  AuthLDAPGroupAttribute memberUid
  AUthLDAPGroupAttributeIsDn off
  Require ldap-group <LDAP Group DN>​
</Directory>

And we are done (well other than making the virtual host allow the rewrites).

Just to prove it, here is a sample checkout:

~/temp$ git clone https://<server>/<GIT Alias>/test.git
Cloning into 'test'...
Username for 'https://<server>': <good user>
Password for 'https://<good user>@<server>': 
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 10 (delta 0), reused 4 (delta 0)
Unpacking objects: 100% (10/10), done.
~/temp$ rm -rf test
~/temp$ git clone https://<server>/<GIT Alias>/test.git
Cloning into 'test'...
Username for 'https://<server>': <bad user>
Password for 'https://<bad user>@<server>': 
fatal: Authentication failed

Posted

in

by

gsb

Tags: