gitldapgitblit

Don't know LDAP admins' credentials. How can I configure gitblit.properties


I tried configuring Gitblit with Ldap for authentication. The only problem I am facing is when I enter admin credentials in gitblit.properties all users are authenticated against Ldap. But when I configure credentials of a particular user only that user is authenticated and rest are shown invalid. So, is it always necessary to configure admin credentials in gitblit.properties file because our ldap administrators won't share admin's credentials with us.


Solution

  • The answer is "it depends".

    But it is not so much "admin credentials" that are needed. The realm.ldap.username and realm.ldap.password settings need to be configured with LDAP credentials that have read access to user entries (and groups if you want to retrieve groups from LDAP, i.e. realm.ldap.maintainTeamsis true). So the "administrative" part is only being able to read all entries under the realm.ldap.accountBase (and realm.ldap.groupBase, if desired), excluding the user passwords.

    If you want to synchronize users (and groups) from LDAP to Gitblit, then such an account is required, i.e. you need to set realm.ldap.username and realm.ldap.password with credentials as described above.

    If all you want to do is authenticate users, then you could also set the realm.ldap.bindpattern setting. This will directly bind against the user entry without searching for the account first. It requires the user that is logging in to have read access to the group entries in LDAP, though, in case you get teams from LDAP.
    Due to a bug in current (1.8.0) Gitblit, realm.ldap.username is still used to at least bind once against LDAP. That means that you either leave it empty and your LDAP allows anonymous binds, or you set it to some LDAP credentials so that the bind works. In this case the credentials used for realm.ldap.username do not need to have read access to all user or group entries. This should be fixed in the next Gitblit version.