I recently hacked Kerberos authentication onto the Gitorious web interface. In conjunction with Apache's mod_auth_kerb, the Rails app pulls the username out of request.env['REMOTE_USER'] and uses that in a manner similar to the current code's OpenID handling: If the user doesn't yet exist in the database, then use "kerberos_build" / "kerberos_create" methods in the user_controller to create his or her account. If the user does exist, just log them in.
The current Gitorious code assumes that any form of authentication is going to happen via Rails' web forms - either an OpenID URL, or a username/password combo. There's not much room to delegate authentication up to Apache. This affects the mod_auth_kerb SPNEGO use case, but it also affects efforts to support other Apache authentication mechanisms, like SSL client cert authentication via mod_ssl. I ended up modifying the session_controller to do a "using_kerberos?" check within the "create" method, but I'm not sure this is the best approach. I'd love to hear ideas from someone who knows more about Rails and Gitorious :) It would also be awesome to combine this Kerberos auth support along with the LDAP features that are present in the latest Gitorious versions. I'm not sure how straightforward it would be to combine these, though. I would only want to use the directory information lookup portions of the code in order to pre-populate information about a user, and skip the password-verification parts. And of course, it would also be great to support Kerberos auth for SSH, in addition to the web interface. But I haven't gotten that far :) -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
