Active Directory LDAP authentication Git Windows Server 2008

Question

I'm trying to setup git through apache on a windows server. I'm using msysgit version 1.7.7.1-preview20111027. I've gotten most of it working but pushing over http and authenticating through Active Directory is an issue.

Here's my httpd.conf:

&ltDirectory />
&nbsp&nbsp&nbsp&nbspAllow from All
&lt/Directory>

&ltDirectory C:/GitRepos>
&nbsp&nbsp&nbsp&nbspAuthName "Git Repositories"
&nbsp&nbsp&nbsp&nbspAuthType Basic
&nbsp&nbsp&nbsp&nbspAuthBasicProvider ldap
&nbsp&nbsp&nbsp&nbspAuthzLDAPAuthoritative on
&nbsp&nbsp&nbsp&nbspAuthLDAPUrl ldap://server/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)
&nbsp&nbsp&nbsp&nbspAuthLDAPBindDN "CN=User,OU=someunit,DC=domain,DC=com"
&nbsp&nbsp&nbsp&nbspAuthLDAPBindPassword password
&nbsp&nbsp&nbsp&nbspAuthLDAPGroupAttributeIsDN off
&nbsp&nbsp&nbsp&nbspAuthLDAPGroupAttribute member
&nbsp&nbsp&nbsp&nbspRequire ldap-group CN=ADGroup,OU=unit1,OU=unit2,DC=domain,DC=com
&nbsp&nbsp&nbsp&nbspSatisfy any
&lt/Directory>

SetEnv GIT_PROJECT_ROOT C:/GitRepos
SetEnv GIT_HTTP_EXPORT_ALL
# SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAliasMatch \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp"(?x)^/(.*/(HEAD | \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbspinfo/refs | \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbspobjects/(info/[^/]+ | \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp[0-9a-f]{2}/[0-9a-f]{38} | \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsppack/pack-[0-9a-f]{40}\.(pack|idx)) | \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbspgit-(upload|receive)-pack))$" \
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp"C:/Program Files (x86)/git/libexec/git-core/git-http-backend.exe/$1"

&ltLocationMatch "^/.*/git-receive-pack$">
&nbsp&nbsp&nbsp&nbspAuthName "Git Repositories"
&nbsp&nbsp&nbsp&nbspAuthType Basic
&nbsp&nbsp&nbsp&nbspAuthBasicProvider ldap
&nbsp&nbsp&nbsp&nbspAuthzLDAPAuthoritative on
&nbsp&nbsp&nbsp&nbspAuthLDAPUrl ldap://server/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)
&nbsp&nbsp&nbsp&nbspAuthLDAPBindDN "CN=User,OU=someunit,DC=domain,DC=com"
&nbsp&nbsp&nbsp&nbspAuthLDAPBindPassword password
&nbsp&nbsp&nbsp&nbspAuthLDAPGroupAttributeIsDN off
&nbsp&nbsp&nbsp&nbspAuthLDAPGroupAttribute member
&nbsp&nbsp&nbsp&nbspRequire ldap-group CN=ADGroup,OU=unit1,OU=unit1,DC=domain,DC=com
&nbsp&nbsp&nbsp&nbspSatisfy any
&lt/LocationMatch>

If I uncomment:

# SetEnv REMOTE_USER $REDIRECT_REMOTE_USER

I can push over http, but a user can type anything in for a password and the ldap authorization doesn't limit the repositories to just the one Active Directory group.

Are my settings incorrect?

Answer 1

Perhaps this earlier thread may help: Is there a way to use Windows Authentication (Active Directory) for a Git server?

It doesn't answer your exact question but may provide other avenues for using AD authentication.

Answer 2

I have succesfully made it over https, but its best working with ssh.

anyway I have some articles on russian:

• how to configure ssh with AD and to use with git: http://habrahabr.ru/post/130187/
• how to make https auth with AD. But I configured it to svn and its quite simple to make it with git: http://habrahabr.ru/post/73403/