Total Pageviews

Saturday, 24 October 2020

LDAP authentication for Gitolite

 On my server I have an LDAP directory where all the users are stored. To use this for user authentication for GIT using Gitolite you will need 3 things…

First – Getting usergroup information from LDAP

The first source you should bounce in when trying to do this is . There you can read that you will need a script and setting 2 properties in .gitolite.rc:

  • $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
  • $GL_BIG_CONFIG = 1;

The script is, as you can see, in out case located at: /usr/local/bin/expand-ldap-user-to-groups. It accepts one parameter and that is the user name. It searches the LDAP directory for the user’s primary group and all secondary groups. The result will be returned as a space separated list of group names. The script:

#!/bin/bash

USER=$1
GID=""
groups=""

BIND_DN="cn=admin,dc=poterion,dc=com"
BIND_PW="*****"

USERS_DN="ou=users,dc=poterion,dc=com"
GROUPS_DN="ou=groups,dc=poterion,dc=com"

LOGIN_KEY="uid"
GID_KEY="gidNumber"
GROUP_KEY="cn"
MEMBER_KEY="memberUid"

IFS="
"

currentLogin=""
currentGID=""
for line in `ldapsearch -h localhost -s one -D "${BIND_DN}" -w ${BIND_PW} -b ${USERS_DN} ${LOGIN_KEY} ${GID_KEY}`; do
        if [ "${line:0:1}" = "#" ]; then
                if [ ! -z $currentLogin ]; then
                        if [ "${currentLogin}" = "${USER}" ]; then
                                GID=$currentGID
                        fi
                        currentLogin=""
                        currentGID=""
                fi
        fi

        if [ "${line:0:${#LOGIN_KEY}}: " = "${LOGIN_KEY}: " ]; then
                currentLogin=`echo ${line} | cut -d":" -f2`
                currentLogin=${currentLogin:1}
        elif [ "${line:0:${#GID_KEY}}: " = "${GID_KEY}: " ]; then
                currentGID=`echo ${line} | cut -d":" -f2`
                currentGID=${currentGID:1}
        fi
done

currentGroup=""
currentMembers=""
currentGID=""
for line in `ldapsearch -h localhost -D "${BIND_DN}" -w ${BIND_PW} -b ${GROUPS_DN} ${GROUP_KEY} ${MEMBER_KEY} ${GID_KEY}`; do
        if [ "${line:0:1}" = "#" ]; then
                if [ ! -z $currentGroup ]; then
                        IFS=" "
                        for user in $currentMembers; do
                                if [ "${user}" = "${USER}" ]; then
                                        groups="${groups} ${currentGroup}"
                                        currentGID=""
                                fi
                        done
                        if [ "${currentGID}" = "${GID}" ]; then
                                groups="${groups} ${currentGroup}"
                        fi
                        currentGroup=""
                        currentMembers=""
                        currentGID=""
                fi
        fi

        if [ "${line:0:${#GROUP_KEY}}: " = "${GROUP_KEY}: " ]; then
                currentGroup=`echo ${line} | cut -d":" -f2`
                currentGroup=${currentGroup:1}
        elif [ "${line:0:${#MEMBER_KEY}}: " = "${MEMBER_KEY}: " ]; then
                user=`echo ${line} | cut -d":" -f2`
                user=${user:1}
                currentMembers="${currentMembers} ${user}"
        elif [ "${line:0:${#GID_KEY}}: " = "${GID_KEY}: " ]; then
                currentGID=`echo ${line} | cut -d":" -f2`
                currentGID=${currentGID:1}
        fi
        IFS="
"
done

if [ ! -z "${groups}" ]; then
        echo ${groups:1}
fi

Second – Password authentication with gitolite

You need to authenticate using a public key with Gitolite. This is neccessary since gitolite uses only one system user. Another option is to create each user on the system and hook the authentication as described in Enabling git access via password authentication with gitolite. The only difference in my script was adding an extra check for “virt-shell” group. This allows me to have a user who is able to use GIT via SSH but is not able to login to the shell controlled just by his membership in “virt-shell”. The resulting script is stored in /usr/bin/bash which should be also a shell in passwd for every user in the system.

#!/bin/bash
shift # get rid of -c

# if no commands, just open a shell
if [[ $# -eq 0 ]]; then
        if groups 2> /dev/null | grep -Eq ' host-diderma ' && groups 2> /dev/null | grep -Eq ' virt-shell ' ; then
                /bin/bash -l
        else
                echo "Error: Not member of host-diderma or virt-shell groups." >&2
        fi;

# if the first arg is a git- command, that means it is something like git-push, etc... so forward it
elif [[ $1 == git-* ]]; then
        ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@localhost $*

# if the first arg is SET_ENV_ONLY, we sourced this file in order to set up the gitolite function
elif [[ $1 == "SET_ENV_ONLY" ]]; then
        gitolite () {
                ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@localhost $*
        }

# if there is at least one non-git command, source this file in a new shell and create the 'gitolite' function
else
        /bin/bashplain -c "source $0 shiftme SET_ENV_ONLY; $*"
fi

Thirds

Last thing todo is to be able to add new user to Gitolite just by addind them to the LDAP directory. This can be accomplished using pam_script. I added a /var/lib/pam/scripts/onsessionopen/create-gitolite-user.sh:

#!/bin/bash

USERID=$1
GROUPID=$(getent group `getent passwd verena.geist | cut -d":" -f4` | cut -d":" -f1)
HOMEDIR=`getent passwd $USERID | cut -d":" -f6`
REPOS="/srv/git/repositories/"
REPO="gitolite-admin"
MACHINE="poterion-com"

if [ ! -f ${HOMEDIR}/.ssh/id_rsa.pub ]; then
        rm -rf ${HOMEDIR}/.ssh/id_rsa
        ssh-keygen -t rsa -N "" -f ${HOMEDIR}/.ssh/id_rsa
        chown ${USERID} ${HOMEDIR}/.ssh/id_rsa
        chgrp ${GROUPID} ${HOMEDIR}/.ssh/id_rsa
        chown ${USERID} ${HOMEDIR}/.ssh/id_rsa.pub
        chgrp ${GROUPID} ${HOMEDIR}/.ssh/id_rsa.pub
fi

CURDIR=`pwd`
cd /tmp
git clone ${REPOS}${REPO}.git ${REPO}
cd ${REPO}
KEY=keydir/${USERID}@${MACHINE}.pub

if [[ ! -f ${KEY} || -n `diff ${KEY} ${HOMEDIR}/.ssh/id_rsa.pub` ]]; then
       cp ${HOMEDIR}/.ssh/id_rsa.pub ${KEY};read
       git add -A;read
       git commit --author='PAM Script ' -m "Add/Update user ${USERID}.";read
       git push
fi

cd ..
rm -rf ${REPO}
cd $CURDIR

As soon as the user’s session is opened a ssh-key will be generated for him and added to Gitolite.

from https://blog.kubovy.eu/2012/11/14/ldap-authentication-gitolite/

No comments:

Post a Comment