I think I have some understanding problems with what I want to achieve...
So, let's start with what's currently working (all described servers are running CentOS 7) :
- an OpenLDAP server which contains users' public keys
- a "data" server running an OpenSSH daemon which permit users to connect thanks to their private key (with ssh command)
And now, my final goal :
- a gitolite service (on the "data" server) which take users' public keys from the OpenLDAP server
I found this in the gitolite's changelog :
(a couple of contrib scripts - querying IPA based LDAP servers for group membership, and user key management)
So I thought it could be possible to achieve what I want but I don't know how...
I've read it's also possible to query an LDAP server to get groups informations. So I want to believe it's possible to do the same things with public keys.
I travel through a lot of links but I cannot find something that solve my issue... If someone have, even a little hint, to give to me, it would be great :)
Have a nice day !
PS : just wanted to add that I'm not afraid to read/write a lot of code. And it's not a problem if you're solution is to use something else than gitolite, even if keeping gitolite would be better for personal purpose.
EDIT1 :
So this is how things currently work :
When I'm trying to clone the default testing.git repository with this command :
git clone ssh://git@dataserver/testing.git With the following ~/.ssh/config :
host dataserver hostname dataserver Identityfile ~/.ssh/user User git My terminal is telling me this :
Cloning in 'testing'... Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists But if I had a public key for my user (user.pub) in the keydir folder, everything is fine :
git clone ssh://git@dataserver/testing.git Cloning in 'testing'... Enter passphrase for key '/home/user/.ssh/user_rsa: warning: it seems that you've cloned a bare repository. Verifying connectivity... done. And the git repository is here :
ls -l | grep testing drwxrwxr-x 3 user user 4096 mars 23 11:03 testing EDIT 2 :
I'm just adding how my dataserver query OpenLDAP to get users' public key (just in case).
/etc/ssh/sshd_config :
AuthorizedKeysCommand /usr/bin/ssh-keyldaps %u AuthorizedKeysCommandUser nobody /usr/bin/ssh-keyldaps :
ldapsearch -H ldaps://ldapserver \ -b dc=my,dc=domain \ -x -LLL \ -o ldif-wrap=no \ "(&(uid=$uid)(sshPublicKey=*))" 'sshPublicKey' | sed -n 's/^sshPublicKey:\s*\(.*\)$/\1/p' I excluded some lines since they're here just for logging purpose.
And thanks to this config, all users registred in LDAP with a sshPublicKey can log into dataserver thanks to their private key.
gitolite-admin/keysfolder, no?