具有 ldap 授权的 Git
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1573722/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Git with ldap authorization
提问by Tobias Hertkorn
Is there a way to authorize user via ldap on a git repository? Or phrased slightly differently: Is there a way to deny people pull/push if they are not in a specific ldap group?
有没有办法在 git 存储库上通过 ldap 授权用户?或者措辞略有不同:如果人们不在特定的 ldap 组中,是否有办法拒绝他们拉/推?
Edit: Yes, great idea using PAM and/or a hook. Does anyone have experience using git in combination with pam_ldap?
编辑:是的,使用 PAM 和/或钩子的好主意。有没有人有将 git 与 pam_ldap 结合使用的经验?
回答by Lee B
Should work:
应该管用:
Access git repos over SSH using standard logins (nothing unusual here).
Make your git repos have access permissions for a certain group, which particular logins have membership of.
Use pam-ldap to make your standard login system work with LDAP.
使用标准登录通过 SSH 访问 git repos(这里没有什么异常)。
使您的 git repos 具有特定组的访问权限,该组的特定登录名具有成员资格。
使用 pam-ldap 使您的标准登录系统与 LDAP 一起工作。
If there's a more specific way, that JUST checks ldap without affecting the rest of your system? I don't know, but it's probably possible with a pre-commit hook, or something like that.
如果有更具体的方法,只检查 ldap 而不会影响系统的其余部分?我不知道,但使用预提交钩子或类似的东西可能是可能的。
回答by Jakub Nar?bski
You can use updateor pre-receivehookto do additionalaccess control; see update-paranoid(in Perl) from contrib/hooks/for an example (it doesn't uses LDAP, but you can always modify it to use it, using for example DBI via DBD::LDAPto store permission configuration, or Authen::Simple::LDAPdirectly).
您可以使用update或pre-receive钩子来做额外的访问控制;参见update-paranoid(in Perl) from contrib/hooks/for an example(它不使用 LDAP,但您可以随时修改它以使用它,例如通过DBD::LDAP使用 DBI来存储权限配置,或Authen::Simple: :LDAP直接)。
It might be possible to enhance tools such like gitosis(in Python) or gitolite, which are used to access git repositories via SSH without requiring to set up (perhaps limited) separate shell account for each user, to use LDAP for authentication.
可能会增强诸如gitosis(在 Python 中)或gitolite 之类的工具,这些工具用于通过 SSH 访问 git 存储库,而无需为每个用户设置(可能是有限的)单独的 shell 帐户,以使用 LDAP 进行身份验证。
回答by rdarrudas
The straightforward solution I've experienced is the following:
我经历过的直接解决方案如下:
- Setup CentrifyDC Expressto provide you pam-ldap;
- Access your GIT repositories via SSH.
- 设置CentrifyDC Express为您提供 pam-ldap;
- 通过 SSH访问您的GIT 存储库。
Et voilà!
等等!
回答by Eddie
You may want to look into Gitorious with Craig Andrews LDAP plugin.
您可能想使用 Craig Andrews LDAP 插件查看 Gitorious。
Gitorious is a well respected (open source) solution for corporate environments providing web and SSH access to repositories.
Gitorious 是一种备受推崇的(开源)解决方案,适用于提供对存储库的 Web 和 SSH 访问的企业环境。
Craig's additions to the code base make LDAP a source for authorization and authentication.
Craig 对代码库的添加使 LDAP 成为授权和身份验证的来源。
https://gitorious.org/gitorious/mainline/merge_requests/138<-- merge in LDAP support
https://gitorious.org/gitorious/mainline/merge_requests/138<-- 合并 LDAP 支持
Hopefully the code will be merged into the mainline of Gitorious soon so we wont have to patch it ourselves.
希望代码很快就会合并到 Gitorious 的主线中,这样我们就不必自己打补丁了。
回答by Diego
A possible solution is to use git over smart-http. If you use this protocol you can set up your Apache server to authenticate through LDAP, and then have your git transferring data over http.
一个可能的解决方案是在smart-http上使用 git 。如果您使用此协议,您可以将您的Apache 服务器设置为通过 LDAP 进行身份验证,然后让您的 git 通过 http 传输数据。
