19

I am evaluating the possibilities of moving my organisation to Mercurial, however I am stumbling on two basic requirements which I can't find proper pointers to.

How do I set up Mercurial's central repository to authenticate users with the central Active Directory and only allow them to push or pull if they have the right credentials?

How do I set up a Mercurial project repository to only allow users pertaining to a specific group to push/pull source code? We need this to have per-project authorisation.

On which HTTP servers (IIS or Apache etc.) are the above two requirements supported?

Apologies if I am asking something obvious or if I am missing something fundamental about how authentication and authorisation works.

Martin Geisler
  • 1,271
  • 9
  • 23

2 Answers2

6

I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:

  • Setting up Mercurial's hg web interface on IIS.
  • Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
  • Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
  • Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
  • Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
  • Customizing the style/feel of the hg web user interface to your own taste.

http://www.endswithsaurus.com/2010/05/setting-up-and-configuring-mercurial-in.html

I hope it's useful to people...

BenAlabaster
  • 269
  • 3
  • 11
4

You can do it with Apache. Check how to restrict pushing in Apache at:

http://mercurial.selenic.com/wiki/PublishingRepositories#pushing

Seem above on the same file on how to configure mercurial, its permissions and all users allowed by Apache.

After you've setup mercurial and Apache, you can use mod_authnz_ldap to only allow access to Active Directory users:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

Don't forget to check the paragraph on Active Directory configuration.

That should be enough for you.

Best of luck,
João Miguel Neves

MikeyB
  • 38,725
  • 10
  • 102
  • 186
jneves
  • 1,043
  • 6
  • 15
  • Using authnz_ldap transmits passwords unencrypted between the client and Apache. I'm trying to find out how to avoid that, but not having a lot of luck. – LeBleu Jan 30 '15 at 21:18