Objective:
Setup Git repository on Oracle Linux 6. Users connecting from Windows, Mac and Linux, using AD credentials. I would like to limit access base on AD groups. I have been searching for a way to set this up. I have seen several options that allow for fine grained access control of the repository but I haven't found anything that can use AD groups to manage access.
So the question is: Is this even possible? Can someone point me in the direction of documentation that would explain the process?
Update:
There now appear to be more options:
GitLab supports LDAP authentication
Gogs supports LDAP too
Update:
GitBlit, "an open-source, pure Java stack for managing, viewing, and serving Git repositories", supports LDAP authentication out of the box:
LDAP can be used to authenticate Users and optionally control Team memberships. When properly configured, Gitblit will delegate authentication to your LDAP server and will cache some user information in the usual users.conf file.
GitBlit also lists support for Windows authentication, but only when installed on Windows, and only tested against local accounts.
Previous answer:
If you move your Git server to Bonobo Git Server on Windows you can use Windows authentication:
Windows Authentication
This authentication is very useful when your git server sits inside the company network and your accounts and logging information could be managed via IIS. The advantage of this approach is that your users won’t have to create another account for logging to Bonobo Git Server. They will use the existing Windows account they use on the network.
Doing this from Linux is possible, but unlikely to be easy. You'll probably have to set PAM up to use either LDAP or Kerberos authentication and then do quite a lot of configuration. If you've got Windows licences I strongly recommend checking out Bonobo.
Related
We have tried sssd utility which does LDAP auth to windows AD however we have to manage individual servers for user/group permissions, there is no central management with sssd.
Also, we are trying to use FREEIPA but seems like it's another directory service and we need to create another domain and then establish trust between windows domain & IPA domain however we don't want to choose that route.
Is there a way to just integrate the FreeIPA with windows AD without creating FREEIPA domain.
No, there is no such way. FreeIPA is not a tool, it is full functioning identity management system, similar to Active Directory but for POSIX environments. You aren't deploying it on a single machine as a separate application.
There are plenty other tools that utilise existing Active Directory deployment to store own information and handle Linux machines but most of them are commercially available.
However, I wonder why you are claiming there is no central management with SSSD for direct AD integration. SSSD with id_provider = ad supports group policies in AD, so you can apply those rules centrally. Technically you also can store SUDO rules in AD LDAP, though it wouldn't be easily manageable compared to FreeIPA.
Our VisualSVN server has "Integrated Windows Authentication" enabled, so I cannot access to it via Ubuntu/svn.
When I do this :
svn checkout http://MyRepo
I get these errors:
svn: E120191: Unable to connect to a repository at URL 'http://MyRepo'
svn: E120191: Error running context: The requested authentication type(s) are not supported.
Does anybody know a solution to this problem (other than not using Windows Authentication) ?
If you have Integrated Windows Authentication enabled, then your client computer has to be joined the Active Directory domain where VisualSVN Server resides (or at least trusted AD domain). In such case Integrated Windows Authentication will work from the Linux machine (over Kerberos or NTLM) without any problems.
For a non-domain Windows machine, it is always possible to put AD credentials to Windows Credential Manager and you could authenticate over IWA without any issues. I don't know any alternative on Linux for the tool but I guess that there has to be one.
You can enable Basic Windows Authentication in VisualSVN Server settings in addition to Integrated Windows Authentication. This way Linux-based should be able to authenticate over Basic.
Our backend is running with PostgreSql in REDHAT environment.Here we need to implement a kerberos authentication.what will be the configuration changes required to perform this.
example: google. once we login to google.com we can access google+, google drive, google apps.. without again providing password.
I too need a similar setup. but my requirment is my client wants to connect through windows as front-end where RHEL is using as backend. so, i have a vague idea thats going to work out with Active Directory configuration. but guide me on how to setup kerberos using AD on RHEL.
i have this situation:
windows domain (+active directory) (2008),
linux machine (debian, redhat),
and windows work stations (xp, vista, 7).
users are connecting to linux from win PCs using ssh (putty). thah means, thay must type username and password on every login.
my goal is create SSO. users login to windows(and domain) on startup (by domain name+pass), and when they are connecting to linux machine no password is required. i need configure linux machine. and make same changes in putty-core application in worstations. biggest problem is configure linux.
need some help
maybe using kerberos??
thanks
Best would be to use Centrify DirectControl Express and Centrify Putty (both FREE). Centrify DirectControl Express allows you to quickly and easily join a non-Microsoft system to an Active Directory domain, thereby giving you the advantage of a single administrative tool to administer authentication across a heterogeneous computing environment.
Distribute Centrify-Enabled Putty to your windows users, to be able to SSO into the Linux machines.
For more information, refer to:
http://www.centrify.com/express/centrify-directcontrol-express.asp
http://www.centrify.com/express/centrify-enabled-open-source-tools.asp
I have a GWT webapp running on tomcat 7 on RedHat. All clients reside within intranet and use IE7 from XP machines to access the webapp.
The new requirement is to setup per user log. If user claims he did something wrong because of webapp, the admin should be able to check webapp responses for that request. Another requirement(a very nice to have feature) is to avoid login/password screen and use domain username instead.
I think I can ask my admin to setup Integrated Windows Authentication for Tomcat http://www.tomcatexpert.com/blog/2011/06/22/windows-authentication-apache-tomcat. Once IWA is implemented on Tomcat I expect I will be able to access username with HTTPServletRequest.getRemoteUser() from my webapp.
Am I right in my assumption?
Is there a simpler way than that?
The integration of a Java container such as Tomcat with a Windows Domain through IWA, SPNEGO, Kerberos etc. can be a very complicated task and the Tomcat instructions that you point to may or may not work the first time and may also require changes to the way your Windows environment is configured.
Once that integration is working, your web application will need to specify auth constraints in web.xml to protect part or whole of the webapp. Although it may not prompt for user id if the Windows authentication set up is working seamlessly, it is necessary for the configuration to be there before getRemoteUser will return anything inside your application.