LDAP authorization lands in Gitorious mainline

Gitorious started with a developer scratching his own itch. The first commit was done more than five years ago, and every commit since then has been about developers implementing features we need in a software tool we use all the time.

Gitorious is different from most other Git frontends and collaboration tools out there by being free software. Anyone using Gitorious is free to make changes to Gitorious itself; scratch their own itch. Over the last five years, 65 committers have committed to Gitorious and had their commits merged into the Gitorious mainline repository.

Gitorious is central in the software development process of hundreds of organizations, ranging from the very small to the very large. And as these organizations discover features they need in Gitorious, they are free to implement such features.

A year ago we announced three great new features in Gitorious, sponsored by a company using Gitorious internally. A few months later, we asked for help from the community in implementing support for private repositories in Gitorious, a feature which landed in Gitorious mainline last February.

LDAP Authorization

A few months ago, we were contacted by a company using Gitorious internally. They use LDAP for authentication, and wanted to discuss whether it was possible to use their LDAP server for authorization as well as authentication. They were willing to sponsor the development required to make this happen, and today we’re proud to announce that Gitorious now supports using an LDAP backend for authorization.

This is how it works

Granting access to a group of users in Gitorious is easy: you just define a Team of Gitorious users and grant access to your repositories and projects to that team. For a local Gitorious installation you would typically add Gitorious Teams for developers, QA/testing, project management and operations.

However, most larger organizations already has such groups defined in their LDAP/Active Directory directory, so duplicating this effort seems pointless. Furthermore, updating the Gitorious Teams as people join the company, change jobs or leave the company is a lot of extra work.

With LDAP authorization enabled, Gitorious no longer keeps track of which users are part of which teams. As users are added to and removed from LDAP groups, they will automatically be granted access (or have their access revoked) to any projects and repositories allowing access to those groups. As a project or repository owner you still grant access to teams, but the actual members of those teams are managed by your LDAP directory.

Since Gitorious needs to maintain the relationships between projects/repositories and (LDAP) Teams, you still define Teams in Gitorious – but those teams have LDAP groups as members, not users. With LDAP authorization enabled, each Gitorious Team has one or more LDAP groups as members, and any Gitorious user who is member of any of those LDAP groups will be granted access to anything allowed by that Gitorious Team. Technically, we switch the Team implementation in Gitorious between either database-backed or LDAP-backed teams based on whether LDAP authorization is enabled or not.

A scenario

Let’s say Bill is a new employee at BigCorp inc, and has never logged into their Gitorious server before. His LDAP username is bill, and he is member of the developers group in the LDAP directory. That group has commit access to the utilities repository in the tools project on the Gitorious server. Here’s what he needs to do to start committing to that repository:

  • Visit the login page on the server
  • Enter his LDAP username and password in the login form. The Gitorious server will try to authenticate him using the provided credentials. Once this succeeds, a new user record is created in the Gitorious database
  • Bill is prompted to upload an SSH key to the server
  • Bill can start pushing code to the repository

There is no registration step, no groups to update, it all Just Works™.

When is this available?

This feature was merged into the master branch of the Gitorious mainline repository a few days ago. If your organization uses LDAP we encourage you to try it out, and report any issues you find on the Gitorious issue tracker. We’ll release this as part of Gitorious v2.4.0 as soon as any issues have been fixed.

To get started, have a look at the sample authentication.yml file shipping with Gitorious. You’ll probably want to add the following options to config/authentication.yml:

  • bind_user: (username/password): a username/password to use for binding while looking up LDAP groups and memberships. Note: Specifying a bind user/password will cause Gitorious to use authenticated bind, another feature that has been lacking in Gitorious for some time.
  • membership_attribute_name: the name of the attribute your LDAP server uses to list groups a given user is member of.
  • members_attribute_name: the name of the attribute your LDAP server uses to list users who are member of a group.
  • base_dn: The base DN for users in your LDAP directory
  • group_search_dn: The base DN for groups in your LDAP directory

And in config/gitorious.yml, you’ll need to add:

  • use_ldap_for_authorization: true. The use_ldap_for_authorization option will replace the built-in Team provider with the LDAP Team provider.

Migrating to LDAP authorization

It is currently not recommended to simply turn on this feature on your existing Gitorious server, as the data in your database needs to be updated from the internal Team backend to the LDAP Team backend. However, setting up a new Gitorious server to try this out is easier than ever. Simply creating a database and connecting your Gitorious server to your LDAP server will allow you to start using Gitorious immediately, as user accounts are automatically created on first login.

We will start working on a tool to help you migrate to LDAP authorization, and hope to have this ready by the time we craft a new version of Gitorious supporting this new feature. We’ll be documenting how to use this feature and make it available at the Gitorious documentation site, launching really soon.

One Comment

  1. Dan
    Posted December 2, 2012 at 4:25 pm | Permalink

    Can you post an example of authentication.yml? I edit sample config according to my infrastructure, but still can’t authenticate against LDAP.
    If I dump traffic destined to my ldap server, while trying to authenticate there is nothing captured.

%d bloggers like this: