I recently setup gitolite, where users access git repository with "gitolite" user through ssh.
Now I would like to integrate that into LDAP. Each user has pubkey in LDAP and if he has "git" objectClass, he would be able to access "gitolite" user through ssh.
I know it's possible to store public keys in LDAP, I'm not sure if it possible to allow authentication in "gitosis" account based on objectClass.
EDIT: To clarify, with objectClass git, user "foobar" would be able to login as "gitolite" through ssh
Best Answer
The author of gitolite has added some features that help support external key stores and group membership information. Search the CHANGELOG for LDAP.
To use an external key store your sshd needs to support the usual
.ssh/authorized_keys
file (this is the file that tells sshd to run gl-auth-command when a gitolite user logs in).keydir
in thegitolite-admin
repository):$GL_NO_SETUP_AUTHKEYS = 0;
in your.gitolite.rc
.keydir
).authorized_keys
file.See the commit message that introduced gl-setup-authkeys for the author’s own description.
Using externally defined user groups is a bit trickier since it usually involves interposing another program between sshd and gl-auth-command (the group memberships are passed as extra arguments to gl-auth-command). See “usergroups and LDAP/similar tools”.