Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>"https access" means you can authenticate <a href="https://stackoverflow.com/a/17985744/6309">through LDAP</a>;</p> <p>That also means you can configure gitolite to <a href="http://gitolite.com/gitolite/auth.html#ldap" rel="nofollow noreferrer">query the ldap group of the user</a>:</p> <p>Gitolite's groups are pretty convenient, but some organizations already have similar (or sufficient) information in their LDAP store.</p> <blockquote> <p>Gitolite can tap into that information, with a little help.<br> Write a program which, given a username, queries your LDAP store and <strong>returns a space-separated list of groups that the user is a member of</strong>.<br> Then put the full path to this program in an <code>rc</code> variable called <code>GROUPLIST_PGM</code>, like so:</p> </blockquote> <pre><code>GROUPLIST_PGM =&gt; '/home/git/bin/ldap-query-groups', </code></pre> <blockquote> <p>Now you can use those groupnames in access rules in gitolite, because the user is a member of those groups as well as any normal gitolite groups you may have added him to in the conf file.</p> <p>Caution: your program must do its own logging if you want the audit trail of "why/how did this user get access to this repo at this time?" to resolve properly. Gitolite does not do any logging of the results of the queries because for people who don't need it that would be a huge waste.</p> </blockquote> <hr> <p>My own script:</p> <pre><code>#!/bin/bash export H="/path/to/home" export D=3 aluser="${1}" if [[ "${aluser}" == "" ]] ; then exit 0 ; fi afuser="${H}/gitolite/ldap/${aluser}" afuserl="${afuser}.log" if [[ "${aluser}" =~ ^[0-9]+$ &amp;&amp; ! -e "${afuser}" ]] ; then echo "Potential Company user, checking group..." &gt;&gt; "${afuserl}" lport="1234" if [[ "${lport#@}" == "${lport}" &amp;&amp; ! -e "${afluser}" ]] ; then l=$(ldapsearch -H ldaps://ldap.server:1234 -x -D "CN=abcd,OU=Accounts,DC=company" -w xxxx -b "OU=People,DC=company" -s sub -a always -z 1000 "(cn~=${aluser})" "memberof" | grep -i "memberof") echo "LDAP='${l}'" &gt;&gt; a if [[ "${l#*CN=}" != "${l}" ]] ; then names="" while read -r line; do if [[ "${line#*CN=}" != "${line}" ]] ; then aname="${line#*CN=}" aname="${aname%%,*}" if [[ "${names}" != "" ]] ; then names="${names} " ; fi names="${names}${aname}" fi done &lt;&lt;&lt; "${l}" echo "${names}" &gt;&gt; "${afuser}" fi fi fi if [[ -e "${afuser}" ]]; then echo "REMOTE_USER_GROUPS='$(cat ${afuser})' for user '${aluser}'" &gt;&gt; "${afuserl}" cat ${afuser} fi </code></pre> <p>No need for any more ssh key!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload