Implementing LDAP Authentication for Git Repositories: Best Practices and Solutions


5 views

When integrating Git with enterprise LDAP systems, we face a fundamental architectural question: how to map LDAP credentials to Git operations while maintaining proper access control. The key pain points are:

  • LDAP authentication at the web interface level (GitWeb/Gitorious) doesn't automatically translate to repository access
  • Potential mismatch between LDAP-authenticated web users and SSH/git protocol users
  • Permission synchronization across multiple access methods

For HTTP(S) access, Apache with mod_ldap provides a solid foundation. Here's a sample configuration:

<Location /git>
    AuthType Basic
    AuthName "Git Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?uid?sub"
    Require valid-user
</Location>

This handles web authentication but requires additional mapping for repository permissions. Consider implementing a post-auth hook to synchronize LDAP groups with Git repository permissions.

For SSH-based access, we can use PAM-LDAP to authenticate users while maintaining Git's native access control. The process involves:

  1. Configuring sshd_config to use PAM
  2. Setting up pam_ldap for authentication
  3. Mapping LDAP users to system accounts

Example PAM configuration snippet:

auth    sufficient  pam_ldap.so
account required    pam_ldap.so

Modern Git management platforms offer better LDAP integration:

Solution LDAP Features
GitLab Full LDAP/AD integration with group sync
Gitea LDAP authentication with team mapping
Bitbucket Server Enterprise-grade LDAP support

For a lightweight solution, consider this Python pre-receive hook that validates LDAP group membership:

import ldap

def check_ldap_access(user, repo):
    l = ldap.initialize('ldap://ldap.example.com')
    l.simple_bind_s('cn=admin,dc=example,dc=com', 'password')
    result = l.search_s(
        'ou=groups,dc=example,dc=com',
        ldap.SCOPE_SUBTREE,
        '(&(objectClass=posixGroup)(memberUid=%s))' % user
    )
    return any(repo in group[1]['cn'] for group in result)

When implementing LDAP authentication for Git:

  • Cache LDAP queries to reduce authentication latency
  • Consider read-only LDAP replicas for Git servers
  • Implement connection pooling for high-traffic installations

Always:

  • Use TLS for LDAP connections
  • Implement proper DN escaping
  • Set up rate limiting for authentication attempts
  • Regularly audit permission mappings

When introducing Git in enterprise environments, LDAP integration often becomes a critical requirement. The core challenge lies in mapping LDAP authentication to Git operations while maintaining proper access controls. Let's examine the technical landscape.

Git's native protocol doesn't natively support LDAP authentication. The standard approaches for bridging this gap include:

  • Web-based Git interfaces with LDAP support
  • SSH wrapper solutions
  • HTTP(S) server integration

This remains one of the most reliable methods for enterprise deployments. Here's a sample Apache configuration snippet:


<VirtualHost *:443>
    ServerName git.example.com
    DocumentRoot /var/www/git

    <Location />
        AuthType Basic
        AuthName "Git Repository Access"
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?uid?sub"
        AuthLDAPBindDN "cn=git-proxy,ou=services,dc=example,dc=com"
        AuthLDAPBindPassword "password"
        Require valid-user
    </Location>

    ScriptAlias / /usr/libexec/git-core/git-http-backend/
    SetEnv GIT_PROJECT_ROOT /var/www/git
    SetEnv GIT_HTTP_EXPORT_ALL
</VirtualHost>

For teams preferring SSH access, consider implementing a key management system that ties into LDAP:


#!/bin/bash
# Example script to sync LDAP users' SSH keys
ldapsearch -x -H ldap://ldap.example.com \
  -b "ou=people,dc=example,dc=com" \
  "(objectClass=posixAccount)" uid sshPublicKey | \
while read uid key; do
  if [ -n "$key" ]; then
    echo "$key" > /home/git/.ssh/authorized_keys.d/$uid
  fi
done

Modern Git management platforms offer built-in LDAP integration:

  • GitLab: Comprehensive LDAP configuration in gitlab.rb
  • Gitea: Lightweight option with LDAP support
  • Bitbucket Server: Enterprise-grade LDAP integration

The username mapping concern can be addressed through:


# Example LDAP attribute mapping for Git
[ldap]
    userFilter = (&(objectClass=person)(uid=%s))
    username = uid
    firstname = givenName
    lastname = sn
    email = mail

When implementing LDAP authentication:

  • Always use TLS for LDAP connections
  • Implement proper DN escaping
  • Set appropriate access controls in LDAP
  • Consider two-factor authentication for sensitive repos