git-http-backend和ldap身份验证,推送错误:请求的URL返回错误:401需要授权

时间:2014-12-11 14:43:06

标签: git apache authentication ldap


我的设置:

操作系统:debian
git v 1.7.10
apache(启用suexec模式)配置git-http-backend和ldap授权git repos wchich适用于克隆操作,但不适用于push,这就是问题。我使用https作为我的git服务器的通信协议。
这是我的配置:

VirtualHost配置: 

<IfModule mod_ssl.c>
<VirtualHost _default_:443>

    DocumentRoot /git/myrepos

    <Directory "/git/myrepos">
    Allow from All
    Options +ExecCGI
    AllowOverride All
    </Directory>

ScriptAlias /git /git/myrepos/bin/suexec-wrapper.sh
SSLEngine on
SSLCertificateFile    /etc/ssl/git.crt
SSLCertificateKeyFile /etc/ssl/git.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>


/git/myrepos/bin/suexec-wrapper.sh: 

#!/bin/bash
PATH_INFO=$SCRIPT_URL
GIT_PROJECT_ROOT=/git/myrepos
REMOTE_USER=$REDIRECT_REMOTE_USER
export GIT_HTTP_EXPORT_ALL=true
/usr/lib/git-core/git-http-backend


克隆回购按预期工作(例如git clone https://192.168.0.1/repo1.git):它接受ldap用户的凭据并克隆回购。
当推送回购时(例如git push origin master):它要求提供凭据,接受它们然后抛出错误:

error: Cannot access URL https://192.168.0.1/repo1.git/, return code 22
fatal: git-http-push failed


当以详细模式(GIT_CURL_VERBOSE=1 git push origin master)运行推送时,它会要求提供凭据,接受它们和(输出尾部):

* STATE: DO => DO_DONE handle 0x1cdd270; (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x1cdd270; (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x1cdd270; (connection #0)
* additional stuff not fine transfer.c:1037: 0 0
* The requested URL returned error: 401
* Closing connection #0
* Expire cleared
error: Cannot access URL https://192.168.0.1/repo1.git/, return code 22
fatal: git-http-push failed

我是否正确配置apache git-http-backend(带有包装脚本?)? 推动操作会导致什么问题? 如何更详细的调试方式?
任何建议非常感谢!
亲切的问候

1 个答案:

答案 0 :(得分:1)

经过多次尝试,我找到了解决办法:) 问题在于git-http-backend的VirtualHost配置不正确 这是我的工作配置:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>

        DocumentRoot /git/myrepos

        SetEnv GIT_PROJECT_ROOT /git/myrepos
        SetEnv GIT_HTTP_EXPORT_ALL
        ScriptAlias /myrepos/ /usr/lib/git-core/git-http-backend
        AliasMatch ^/myrepos/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /git/myrepos/$1
        AliasMatch ^/repos/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /git/myrepos/$1

        ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}\.(pack|idx)) | git-(upload|receive)-pack))$" /usr/lib/git-core/git-http-backend/$1

        <Directory "/usr/lib/git-core/">
        Options +ExecCGI
        Allow From All
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile    /etc/ssl/git.crt
        SSLCertificateKeyFile /etc/ssl/git.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


<Location /repo1.git>
Order deny,allow
Deny from all
Allow from all
AuthName "GIT Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN domain\user
AuthLDAPBindPassword passwd
AuthLDAPURL ldap://ldap.server:389/ou=git,DC=domain?sAMAccountName
Require ldap-group cn=git_repo1,ou=git,dc=domain
</Location>

</VirtualHost>
</IfModule>


现在所有git操作都可以通过https与gd-http-backend使用ldap授权正常运行:)可能对某人有用。

相关问题
最新问题