[Freeipa-users] FreeIPA gitolite intergration
William Muriithi
william.muriithi at gmail.com
Sat May 18 04:02:57 UTC 2013
Thank Martin and Natxo,
Really appreciate.
> > Got a question, I know FreeIPA does not allow anonymous binding so
if one
> > need to create an account to query for such information. I did this
during
> > the sudo setup.
> >
> > unless you have changed it yourself (or stuff has changed in the
standard
> > installation since v2.2 when I installed my ipa servers) anonymous
binding is
> > allowed. But you cannot query group membership of the users IIRC
anonymously.
>
> Correct. To disable anonymous binds, you can check:
>
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html
>
Thanks, I opted to add a bind user instead.
> >
> > I am trying to get git to use FreeIPA today and I trying to figure
where
> > the bind user should be created under. This got to be a system
account, so
> > I am not sure it should go under the normal user dn below. And even
if I
> > created it as normal user, I am not sure it would have permission to
> > transverse the tree looking for the group user details
> >
> > dn: uid=william,cn=users,cn= compat,dc=example,dc=com
> >
> > system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld
; but
> > you can create them wherever you like I think. If you create a normal
ipa
> > account with the ipa tools, you can always modify the
krbPasswordExpiration
> > attribute manually and have it expire in the year 3000 so it does not
get
> > disabled until then ;-)
Opted to create it under sysaccounts, that way, its a bit hidden and
unlikely to be removed accidentally.
I initially tried to query for group information from a system that is not
enrolled to freeIPA realm. Was getting sasl error when the script is called
through gitolite but the script would worked fine when I run it manually.
Odd.
I enrolled the git server and now that problem seem to have gone away.
Anyway to explain what was happening, just being curious here?
>
> I am currently not familiar with how the git+LDAP works, but you could
also add
> service for it like "git/your.host.with.git at YOUR.REALM", get a keytab for
it
> and then let git use it to authenticate to FreeIPA.
Git don't have any authentication or authorization facilities, it leave
that out for SSH and Apache to handle. Gitolite is there to assist with
authorization but don't handle authentication. So one uploads a public key
and which SSH uses for authentication and then gitolite take the username
and check the respective groups one is authorized to use. Its this group
querying that the script above is useful for.
>
> Martin
>
>
William
>
> ------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130518/a9b9d858/attachment.htm>
More information about the Freeipa-users
mailing list