Setting Mercurial with Active Directory authentication and authorisation
Solution 1
I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
- Setting up Mercurial's hg web interface on IIS.
- Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
- Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
- Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
- Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
- Customizing the style/feel of the hg web user interface to your own taste.
http://www.endswithsaurus.com/2010/05/setting-up-and-configuring-mercurial-in.html
I hope it's useful to people...
Solution 2
You can do it with Apache. Check how to restrict pushing in Apache at:
http://mercurial.selenic.com/wiki/PublishingRepositories#pushing
Seem above on the same file on how to configure mercurial, its permissions and all users allowed by Apache.
After you've setup mercurial and Apache, you can use mod_authnz_ldap to only allow access to Active Directory users:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
Don't forget to check the paragraph on Active Directory configuration.
That should be enough for you.
Best of luck,
João Miguel Neves
Related videos on Youtube
Martin Geisler
Hi! I've studied cryptography at University of Aarhus in Denmark. I now like in Zurich, Switzerland. I mostly work with Python, but also like functional languages like Haskell a lot. Currently, I work mostly with Rust, see my open source projects if you're curious. You can also take a look at my CV if you want to know where I've worked professionally.
Updated on September 17, 2022Comments
-
Martin Geisler almost 2 years
I am evaluating the possibilities of moving my organisation to Mercurial, however I am stumbling on two basic requirements which I can't find proper pointers to.
How do I set up Mercurial's central repository to authenticate users with the central Active Directory and only allow them to push or pull if they have the right credentials?
How do I set up a Mercurial project repository to only allow users pertaining to a specific group to push/pull source code? We need this to have per-project authorisation.
On which HTTP servers (IIS or Apache etc.) are the above two requirements supported?
Apologies if I am asking something obvious or if I am missing something fundamental about how authentication and authorisation works.
-
LeBleu over 9 yearsUsing authnz_ldap transmits passwords unencrypted between the client and Apache. I'm trying to find out how to avoid that, but not having a lot of luck.