Authentication against Active Directory

Martin Geisler mg at aragost.com
Thu Apr 22 13:43:05 CDT 2010 

Hi guys,

I recently had to help a company with setting up Mercurial and they
wanted to do user authentication against an Active Directory (AD)
server. This turned out to be very easy, but since I've seen some
confusion about how access control works with hgweb(dir).cgi, I figured
I would write a bit about it.

Concepts:

* authentication: the act of establishing *who* a given user is. This is
  often done with passwords: I tell the server that my username is 'mg'
  and I prove to it that I'm me by showing it the corresponding
  password.

* authorization: the act of allowing or rejecting access. This is
  typically done by looking up the authenticated username in a list of
  allowed users.

Now that we have some terminology in place, let's look at the role of
each component:

* webserver: does authentication. This means that Apache, IIS, whatever
  must send back the right headers that will make the client prompt for
  a username, or do some other form of authentication.

* hgwebdir.cgi: does authorization. The webserver tells Mercurial who is
  has authenticated. This means that Mercurial is told the *username* of
  the user that is logged in. Mercurial then goes to look in the [web]
  section for a matching username in the allow_* and deny_* lists:

    http://www.selenic.com/mercurial/hgrc.5.html#web

That's it. Just make sure that you make your webserver is configured to
authenticate the right usernames and that Mercurial is doing
authorization using the same usernames.


Using AD is now a matter of configuring the webserver correctly -- it is
not Mercurial specific. Below is the configuration file that was used at
the company I mentioned in the beginning:

  NameVirtualHost *:443
  <VirtualHost *:443>
    ServerName hg.example.net<http://hg.example.net>

    ServerAdmin admin at example.net<mailto:admin at example.net>
    CustomLog /var/log/apache2/access_log.mercurial-ssl combined
    ErrorLog /var/log/apache2/error_log.mercurial-ssl

    LogLevel warn

    ScriptAliasMatch ^(.*) /data/products/mercurial-1.5.1/hgwebdir.cgi/$1

    <Directory "/data/products/mercurial-1.5.1/">
      Order allow,deny
      Allow from all
      AllowOverride All
      Options ExecCGI
      AddHandler cgi-script .cgi
    </Directory>

    <Directory "/data/products/mercurial-1.5.1/">
      Order deny,allow
      Deny from All
      AuthName "Mercurial server"
      AuthType Basic
      AuthBasicProvider ldap
      AuthzLDAPAuthoritative off
      AuthLDAPBindDN "CN=bindadm,OU=OP users,OU=serverusers,OU=User administration,DC=interprise,DC=dk"
      AuthLDAPBindPassword "*********"
      AuthLDAPURL "ldap://192.168.0.1:389/OU=User administration,DC=interprise,DC=dk?sAMAccountName?sub?(objectClass=user)"
      Require ldap-group CN=SEC GRP Mercurial,OU=Security Groups,OU=serverusers,OU=User administration,DC=interprise,DC=dk
      Satisfy any
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/wildcard.example.net.crt
    SSLCertificateKeyFile /etc/ssl/private/wildcard.example.net.key
    SSLCertificateChainFile /etc/ssl/certs/globalsignca.crt
  </VirtualHost>


-- 
Martin Geisler

Fast and powerful revision control: http://mercurial.selenic.com/

More information about the Mercurial mailing list