# Apache Gitolite smart-http install Active Directory Authentication

# Author: Jonathan Gray

# It is assumed you already have mod_ssl, mod_ldap, & mod_authnz configured for apache
# It is also assumed you are disabling http on port 80 and requiring the use of https on port 443

# Boiler plate configuration from the smart-http deployment documentation script
# Adjust paths if you use something other than the default
SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories
ScriptAlias /git/ /var/www/gitolite-home/gitolite-source/src/gitolite-shell/
ScriptAlias /gitmob/ /var/www/gitolite-home/gitolite-source/src/gitolite-shell/
SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home
SetEnv GIT_HTTP_EXPORT_ALL
 
# Setup LDAP trusted root certificate from your domain
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf.d/domain.ca.cer

# In case you havn't setup proper SSL certificates in ssl.conf, go ahead and do it here to save headache later with git
SSLCertificateFile /etc/httpd/conf.d/gitolite.server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/gitolite.server.key
SSLCertificateChainFile /etc/httpd/conf.d/DigiCertCA.crt
 
<Location /git>
        Order deny,allow
	# In case you want to restrict access to a given ip/subnet
        #Allow from my.ip.range/cidr
        #Deny from All
        AuthType Basic
        AuthName "Git"
        AuthBasicProvider ldap
        AuthUserFile /dev/null
        AuthzLDAPAuthoritative on
        AuthLDAPURL ldaps://AD.DC1.local:3269 AD.DC2.local:3269 AD.DC3.local:3269/?sAMAccountName?sub
        AuthLDAPBindDN git@domain.local
        AuthLDAPBindPassword super.secret.password
        AuthLDAPGroupAttributeIsDN on
 
	# You must use one of the two following approaches to handle authentication via active directory
	
        # Require membership in the gitolite users group in AD
        # The ldap-filter option is used to handle nested groups on the AD server rather than multiple calls to traverse from apache
        # Require ldap-filter memberof:1.2.840.113556.1.4.1941:=cn=Gitolite Users,ou=Security Groups,dc=domain,dc=local

	# Alternatively, require a valid user account only since you're going to control authorization in gitolite anyway
	Require valid-user
</Location>