SCM Hosting-SSH¶
Configuring Git/SVN/Hg to use Allura auth via LDAP and ssh¶
The following instructions will use a chroot, a custom FUSE driver, and LDAP. Once completed, an ssh-based configuration of Git, SVN, or Hg that has repos in the chroot directory will authenticate the users against LDAP and authorize via an Allura API. Allura will be configured to authenticate against LDAP as well.
Note
The previous git & svn configuration instructions are not ssh-based, so will not work with this configuration. You’ll have to reconfigure git & svn to use ssh:// instead of http or svn protocols.
We assume you are using a version of Ubuntu with support for schroot and debootstrap. We will use a chroot jail to allow users to access their repositories via ssh.
Install a chroot environment¶
These instructions are based on the documentation in Debootstrap Chroot. and OpenLDAPServer.
Install debootstrap and schroot: apt-get install debootstrap schroot
Append the following text to the file /etc/schroot/schroot.conf
[scm]
description=Ubuntu Chroot for SCM Hosting
type=directory
directory=/var/chroots/scm
script-config=scm/config
Create a directory /etc/schroot/scm and populate it with some files:
# mkdir /etc/schroot/scm
# cat > /etc/schroot/scm/config <<EOF
FSTAB="/etc/schroot/scm/fstab"
COPYFILES="/etc/schroot/scm/copyfiles"
NSSDATABASES="/etc/schroot/scm/nssdatabases"
EOF
# cat > /etc/schroot/scm/fstab <<EOF
/proc /proc none rw,rbind 0 0
/sys /sys none rw,rbind 0 0
/dev /dev none rw,rbind 0 0
/tmp /tmp none rw,bind 0 0
EOF
# cat > /etc/schroot/scm/copyfiles <<EOF
/etc/resolv.conf
EOF
# cat > /etc/schroot/scm/nssdatabases <<EOF
services
protocols
networks
hosts
EOF
Create a directory /var/chroots/scm and create the bootstrap environment. (You may substitute a mirror from the ubuntu mirror list for archive.ubuntu.com)
$ sudo mkdir -p /var/chroots/scm
$ sudo debootstrap --variant=buildd --arch amd64 --components=main,universe --include=git,mercurial,subversion,openssh-server,slapd,ldap-utils,ldap-auth-client,curl maverick /var/chroots/scm http://archive.ubuntu.com/ubuntu/
Test that the chroot is installed by entering it:
# schroot -c scm -u root
(scm) # logout
Configure OpenLDAP in the Chroot¶
Copy the ldap-setup script into the chroot environment:
$ sudo cp Allura/ldap-setup.py Allura/ldap-userconfig.py /var/chroots/scm
$ sudo chmod +x /var/chroots/scm/ldap-*.py
Log in to the chroot environment:
# schroot -c scm -u root
Run the setup script, following the prompts:
(scm) # python /ldap-setup.py
In particular, you will need to answer the following questions (substitute your custom suffix if you are not using dc=localdomain):
Should debconf manage LDAP configuration? yes
LDAP server Uniform Resource Identifier: ldapi:///
Distinguished name of the search base: dc=localdomain
LDAP version to use: 1 (version 3)
Make local root Database admin: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=localdomain
LDAP root account password: empty
Local crypt to use when changing passwords: 2 (crypt)
PAM profiles to enable: 2
Update the chroot ssh configuration¶
Update the file /var/chroot/scm/etc/ssh/sshd_config, changing the port directive:
# Port 22
Port 8022
Setup the Custom FUSE Driver¶
Copy the accessfs script into the chroot environment:
$ sudo cp fuse/accessfs.py /var/chroots/scm
Configure allura to point to the chrooted scm environment:
$ sudo ln -s /var/chroots/scm /srv/git
$ sudo ln -s /var/chroots/scm /srv/hg
$ sudo ln -s /var/chroots/scm /srv/svn
Log in to the chroot environment & install packages:
# schroot -c scm -u root
(scm) # apt-get install python-fuse
Create the SCM directories:
(scm) # mkdir /scm /scm-repo
Mount the FUSE filesystem:
(scm) # python /accessfs.py /scm-repo -o allow_other -s -o root=/scm
Start the SSH daemon:
(scm) # /etc/init.d/ssh start
Configure Allura to Use the LDAP Server¶
Set the following values in your .ini file:
auth.method = ldap
auth.ldap.server = ldap://localhost
auth.ldap.suffix = ou=people,dc=localdomain
auth.ldap.admin_dn = cn=admin,dc=localdomain
auth.ldap.admin_password = secret