Authentication against Active Directory
Martin Geisler
mg at aragost.com
Thu Apr 22 13:43:05 CDT 2010
Hi guys,
I recently had to help a company with setting up Mercurial and they
wanted to do user authentication against an Active Directory (AD)
server. This turned out to be very easy, but since I've seen some
confusion about how access control works with hgweb(dir).cgi, I figured
I would write a bit about it.
Concepts:
* authentication: the act of establishing *who* a given user is. This is
often done with passwords: I tell the server that my username is 'mg'
and I prove to it that I'm me by showing it the corresponding
password.
* authorization: the act of allowing or rejecting access. This is
typically done by looking up the authenticated username in a list of
allowed users.
Now that we have some terminology in place, let's look at the role of
each component:
* webserver: does authentication. This means that Apache, IIS, whatever
must send back the right headers that will make the client prompt for
a username, or do some other form of authentication.
* hgwebdir.cgi: does authorization. The webserver tells Mercurial who is
has authenticated. This means that Mercurial is told the *username* of
the user that is logged in. Mercurial then goes to look in the [web]
section for a matching username in the allow_* and deny_* lists:
http://www.selenic.com/mercurial/hgrc.5.html#web
That's it. Just make sure that you make your webserver is configured to
authenticate the right usernames and that Mercurial is doing
authorization using the same usernames.
Using AD is now a matter of configuring the webserver correctly -- it is
not Mercurial specific. Below is the configuration file that was used at
the company I mentioned in the beginning:
NameVirtualHost *:443
<VirtualHost *:443>
ServerName hg.example.net<http://hg.example.net>
ServerAdmin admin at example.net<mailto:admin at example.net>
CustomLog /var/log/apache2/access_log.mercurial-ssl combined
ErrorLog /var/log/apache2/error_log.mercurial-ssl
LogLevel warn
ScriptAliasMatch ^(.*) /data/products/mercurial-1.5.1/hgwebdir.cgi/$1
<Directory "/data/products/mercurial-1.5.1/">
Order allow,deny
Allow from all
AllowOverride All
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>
<Directory "/data/products/mercurial-1.5.1/">
Order deny,allow
Deny from All
AuthName "Mercurial server"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "CN=bindadm,OU=OP users,OU=serverusers,OU=User administration,DC=interprise,DC=dk"
AuthLDAPBindPassword "*********"
AuthLDAPURL "ldap://192.168.0.1:389/OU=User administration,DC=interprise,DC=dk?sAMAccountName?sub?(objectClass=user)"
Require ldap-group CN=SEC GRP Mercurial,OU=Security Groups,OU=serverusers,OU=User administration,DC=interprise,DC=dk
Satisfy any
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.net.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.net.key
SSLCertificateChainFile /etc/ssl/certs/globalsignca.crt
</VirtualHost>
--
Martin Geisler
Fast and powerful revision control: http://mercurial.selenic.com/
More information about the Mercurial
mailing list