Make Gitolite retrieve ssh keys from LDAP

Question

I think I have some understanding problems with what I want to achieve...

So, let's start with what's currently working (all described servers are running CentOS 7) :

• an OpenLDAP server which contains users' public keys
• a "data" server running an OpenSSH daemon which permit users to connect thanks to their private key (with ssh command)

And now, my final goal :

• a gitolite service (on the "data" server) which take users' public keys from the OpenLDAP server

I found this in the gitolite's changelog :

(a couple of contrib scripts - querying IPA based LDAP servers for group membership, and user key management)

So I thought it could be possible to achieve what I want but I don't know how...

I've read it's also possible to query an LDAP server to get groups informations. So I want to believe it's possible to do the same things with public keys.

I travel through a lot of links but I cannot find something that solve my issue... If someone have, even a little hint, to give to me, it would be great :)

Have a nice day !

---

PS : just wanted to add that I'm not afraid to read/write a lot of code. And it's not a problem if you're solution is to use something else than gitolite, even if keeping gitolite would be better for personal purpose.

---

EDIT1 :

So this is how things currently work :

When I'm trying to clone the default testing.git repository with this command :

git clone ssh://git@dataserver/testing.git

With the following ~/.ssh/config :

host dataserver
    hostname dataserver
    Identityfile ~/.ssh/user
    User git

My terminal is telling me this :

Cloning in 'testing'...
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists

But if I had a public key for my user (user.pub) in the keydir folder, everything is fine :

git clone ssh://git@dataserver/testing.git
Cloning in 'testing'...
Enter passphrase for key '/home/user/.ssh/user_rsa:
warning: it seems that you've cloned a bare repository.
Verifying connectivity... done.

And the git repository is here :

ls -l | grep testing
drwxrwxr-x 3 user user 4096 mars 23 11:03 testing

---

EDIT 2 :

I'm just adding how my dataserver query OpenLDAP to get users' public key (just in case).

/etc/ssh/sshd_config :

AuthorizedKeysCommand /usr/bin/ssh-keyldaps %u
AuthorizedKeysCommandUser nobody

/usr/bin/ssh-keyldaps :

ldapsearch       -H ldaps://ldapserver \
                 -b dc=my,dc=domain \
                 -x -LLL \
                 -o ldif-wrap=no \
                 "(&(uid=$uid)(sshPublicKey=*))" 'sshPublicKey' |
                 sed -n 's/^sshPublicKey:\s*\(.*\)$/\1/p'

I excluded some lines since they're here just for logging purpose.

And thanks to this config, all users registred in LDAP with a sshPublicKey can log into dataserver thanks to their private key.

Answer 1

AuthorizedKeysCommand for the sshd_config is probably what you want to have a look at. The documentation snippet reads like gitolite doesn't ship with anything for that, but rather relies on external factors.

You can set up sssd to authenticate against the LDAP server and then use sss_authorized_keys, for example.

Documentation should be easily findable.