OS: Linux OpenSUSE
Version control – Mercurial
Apache2
I run http ://my.os.name/ it gives me a page – thus apache is running.
I run http ://my.os.name:/hg – It shows me Mercurial page, thus mercurial is
showing up on http Internet Explorer page.
I’m able to create repositories/or do normal work in Mercurial.
What I need.
1. When I open the above Hg link
then, instead of showing me the Mercurial(Hg) repository page home page, it should first check whether I belong to my company or not i.e. it should authenticate using Windows Active Directory or LDAP server.
- If I’m making any changes to a file or create a directory / repository in Hg, then it should make sure / authenticate/verify whether I have valid access to do that operation or not.
HOW can I do this, I need step by step help as I’m new in Apache/Mercurial authentication setup.
I have almost read all the Online help in setting this up and so far I’m able to get to a point whether when I open Hg link, I get a popup for username/password prompt, but its not taking it / not working.
I also dont want to create .htpasswd/ .htaccess or digest files. What I’m wondering is that if in Windows Active Directory, if I have a Security group created for ex: Company/Project1_readers, Company/Project1_Contributors, Company/Project1_Repository1_Readers, Company/Project1_Repository2_Contributors… and in those AD security group ids, if I have all the developers added, then using these groups in AD, I want to grant access to developers instead of adding those users in .hg/hgrc file.
(This is what usually we do in TFS (Team foundation Server) to grant/revoke access) instead of messing with files (adding/removing users) in every repository etc.
How can I do the above?
Kindly advise if the best way is only creating .htpasswd/.htaccess/.htdigest etc files…if I’m wrong in achieving the above scenario.
My httpd.conf file Includes another .conf file (which contains)
=========================================
<Directory /srv/www/hg>
Order deny,allow
Deny from All
AuthType Basic
# #AuthName "Apache Web Site: Login with your AD(Active Directory) credentials"
AuthName "Mercurial Repositories"
#
#
# AuthBasicProvider ldap
# AuthzLDAPAuthoritative off
# #AuthLDAPURL ldap://10.211.16.1:389/OU=TSH,DC=tsh,DC=Mason,DC=com?sAMAccountName
# AuthLDAPURL "ldap://10.211.16.1:389/?samAccountName?sub?(objectClass=user)"
## #ldap://ldap.your-domain.com:389/o=stooges?uid?sub
# AuthLDAPBindDN "cn=xyzserver,OU=Services,OU=Users,OU=Infrastructure,OU=DEN,OU=KSH,DC=Psh,DC=Mason,DC=com"
# #"cn=StoogeAdmin,o=stooges"
# AuthLDAPBindPassword secret1
require valid-user
# require ldap-user
Satisfy any
</Directory>
When I’m using the abvoe LDAP URL in Jenkins, Jenkins is successfully authenticating a user while logging in, then why the same is not working when it’s in this server’s .conf file. Note, in apache2, the above doesn’t have to be in httpd.conf file. Include concept is letting me include the file.conf and file.conf contains the above code. This is as per Apache2 directions as mentioned in httpd.conf file.
Rest of the mercurial files hgwebdir.cgi, hgweb.cgi, hgweb.config are all good (as per online blogs I have read).
I have all the required modules loaded (as they are visible in /etc/apache2/sysconfig.d/loadmodule.conf file (modules which are required for LDAP auth i.e. mod_ldap, mod_authz_ldap etc etc related to ldap and apache).
if prompted multiple times for user credentials in mercurial. Setup Mercurial_Keyring and then
this question comes which nobody explained in an easy way.
??? how to make the [auth] xx.prefix = servername/hg_or_something work for all repositories under servername/hg location either if I use servername, servername’s IP or servername’s FQDN ?
ANSWER: Arun • 2 minutes ago
−