[0ce187]: / Allura / docs / getting_started / scm_host_ssh.rst  Maximize  Restore  History

Download this file

204 lines (137 with data), 6.3 kB


SCM Hosting-SSH

Configuring Git/SVN/Hg to use Allura auth via LDAP and ssh

The following instructions will use a chroot, a custom FUSE driver, and LDAP. Once completed, an ssh-based configuration of Git, SVN, or Hg that has repos in the chroot directory will authenticate the users against LDAP and authorize via an Allura API. Allura will be configured to authenticate against LDAP as well.


The previous git & svn configuration instructions are not ssh-based, so will not work with this configuration. You'll have to reconfigure git & svn to use ssh:// instead of http or svn protocols.

We assume you are using a version of Ubuntu with support for schroot and debootstrap. We will use a chroot jail to allow users to access their repositories via ssh.

Install a chroot environment

These instructions are based on the documentation in Debootstrap Chroot. and OpenLDAPServer.

Install debootstrap and schroot: :program:`apt-get install debootstrap schroot`

Append the following text to the file :file:`/etc/schroot/schroot.conf`

description=Ubuntu Chroot for SCM Hosting

Create a directory :file:`/etc/schroot/scm` and populate it with some files:

# mkdir /etc/schroot/scm
# cat > /etc/schroot/scm/config <<EOF
# cat > /etc/schroot/scm/fstab <<EOF
/proc               /proc           none    rw,rbind        0       0
/sys                /sys            none    rw,rbind        0       0
/dev            /dev            none    rw,rbind        0       0
/tmp                /tmp            none    rw,bind         0       0
# cat > /etc/schroot/scm/copyfiles <<EOF
# cat > /etc/schroot/scm/nssdatabases <<EOF

Create a directory :file:`/var/chroots/scm` and create the bootstrap environment. (You may substitute a mirror from the ubuntu mirror list for archive.ubuntu.com)

$ sudo mkdir -p /var/chroots/scm
$ sudo debootstrap --variant=buildd --arch amd64 --components=main,universe --include=git,mercurial,subversion,openssh-server,slapd,ldap-utils,ldap-auth-client,curl maverick /var/chroots/scm http://archive.ubuntu.com/ubuntu/

Test that the chroot is installed by entering it:

# schroot -c scm -u root
(scm) # logout

Configure OpenLDAP in the Chroot

Copy the ldap-setup script into the chroot environment:

$ sudo cp Allura/ldap-setup.py Allura/ldap-userconfig.py /var/chroots/scm
$ sudo chmod +x /var/chroots/scm/ldap-*.py

Log in to the chroot environment:

# schroot -c scm -u root

Run the setup script, following the prompts:

(scm) # python /ldap-setup.py

In particular, you will need to answer the following questions (substitute your custom suffix if you are not using dc=localdomain):

  • Should debconf manage LDAP configuration? yes
  • LDAP server Uniform Resource Identifier: ldapi:///
  • Distinguished name of the search base: dc=localdomain
  • LDAP version to use: 1 (version 3)
  • Make local root Database admin: yes
  • Does the LDAP database require login? no
  • LDAP account for root: cn=admin,dc=localdomain
  • LDAP root account password: empty
  • Local crypt to use when changing passwords: 2 (crypt)
  • PAM profiles to enable: 2

Update the chroot ssh configuration

Update the file :file:`/var/chroot/scm/etc/ssh/sshd_config`, changing the port directive:

Setup the Custom FUSE Driver

Copy the accessfs script into the chroot environment:

$ sudo cp fuse/accessfs.py /var/chroots/scm

Configure allura to point to the chrooted scm environment:

$ sudo ln -s /var/chroots/scm /srv/git
$ sudo ln -s /var/chroots/scm /srv/hg
$ sudo ln -s /var/chroots/scm /srv/svn

Log in to the chroot environment & install packages:

# schroot -c scm -u root
(scm) # apt-get install python-fuse

Create the SCM directories:

(scm) # mkdir /scm /scm-repo

Mount the FUSE filesystem:

(scm) # python /accessfs.py /scm-repo -o allow_other -s -o root=/scm

Start the SSH daemon:

(scm) # /etc/init.d/ssh start

Configure Allura to Use the LDAP Server

Set the following values in your .ini file:

auth.method = ldap

auth.ldap.server = ldap://localhost
auth.ldap.suffix = ou=people,dc=localdomain
auth.ldap.admin_dn = cn=admin,dc=localdomain
auth.ldap.admin_password = secret