Игорь Олемской — практические заметки по системному администрированию Linux CentOS

In earlier article, I have described setting up git server with gitolite, gitweb, ssh and http auth using passwd file. Here as an extension of that article, I am describing how to do authentication using LDAP so that authentication become more seamless and avoid any sort of manual work for managing access when you have LDAP for authenticating users.

Before proceeding for change in config, you should confirm that ldap and authnz_ldap modules are there in Apache. You can check that using httpd -M command, following should be there in output:

$ httpd -M
..
 ldap_module (shared)
 authnz_ldap_module (shared)
..

If this is not the case, then please install these modules and make sure you load them in your Apache config (usually /etc/httpd/conf/httpd.conf) like this:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

After having these modules to facilitate authentication, we need to remove or comment out following lines in our git config file /etc/httpd/conf.d/git.conf:

<Location />
    AuthType Basic
    AuthName "Private Git Access"
    Require valid-user
    AuthUserFile /var/www/gitweb/passfile
</Location>

After removing or commenting out above lines, put these lines in the file:

<Location "/">
    AuthType Basic
    AuthName "Git Authentication"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldap://<my ad server>:389/ou=xx,dc=xx,dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)"
    AuthLDAPBindDN <user>@<mydomain>
    AuthLDAPBindPassword <user password>
    Require valid-user
</Location>

Here make sure to supply correct LDAP url and provide info of one user and its password so that Apache can contact LDAP to retrieve authentication information. You also needs to update gitolite.conf to manage authorization for git repositories for LDAP user.

Reload Apache to apply new settings and you should be able to access Git repository over http using LDAP user.

Common issues:
If authentication not working, put “Loglevel Debug” option in your Apache VirtualHost and check Apache error logs. In case you notice following error:

[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(454): [client xx.xx.xx.xx] [25749] auth_ldap authenticate: accepting user.name
[Wed Apr 18 15:02:13 2012] [debug] mod_authnz_ldap.c(821): [client xx.xx.xx.xx] [25749] auth_ldap authorise: declining to authorise

Then make sure AuthzLDAPAuthoritative off entry is there in Apache git config file, I have already mentioned it above just in case if you missed it.

In case you notice “[User Not Found]” in error log, then check your user name again and make sure the user exist in correct OU/group specified in ldap url.

Related articles:
* Quickly setup Git server with gitolite, gitweb, ssh and http auth
* Configure password based subversion access via http
* Download, install and configure ViewVC for Subversion

This is second part of article to describe how to dynamically manage Apache Virtual host. You can read first article here. In earlier article I mentioned using a php script to dynamically create/remove virtualhost entry in Apache (httpd) config file and then reload it using cron. Here I would describe how to manage DNS to [...]

To tighten security or again to pass PCI test, you can disable weak SSL cipher. Let’s do it in a host running lighttpd web server in CentOS Linux. Normally, you get message like this for this issue: Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host [...]

This is again short post for people lazy enough to not compile and always looking for some quick way to upgrade/install software. The machine is having CentOS 5.2 and httpd 2.2.8. We are looking to upgrade httpd to 2.2.17 to succeed in PCI compliance. While I assured that current Apache is having all security upgrades [...]

In a CentOS 5.2 Server, there PHP 5.2.4 and due to which PCI complaince test failed. We were in requirement to upgrade PHP to latest stable version. While writing this article, we found 5.3.5 as latest stable release of PHP. Describing here the steps taken to download, install PHP 5.3.5. Step 1. Check existing PHP [...]

You need to disable SSL ver 2 and enable SSL ver 3 in apache for PCI compliance. Its very easy to do. Following settings will set SSL ver 3 and also disable older/unsecure cipher suite in Redhat/centos/fedora Linux server:
1. Open /etc/httpd/conf.d/ssl.conf and add or if these lines already there, edit them as per follows:

## Disbale [...]

There are various wasys to do this, but this is what I implemented. It is working as expected as of now on my RHEL 5.x boxes. I’ll take my usecase here and describe things.
Plesk web hosting control panel is managing several hundred domains on one of RHEL box. Addition and removal of domains is [...]