diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-23 12:13:45 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-23 12:13:45 +0300 |
commit | c4aa8e8d143532f574ba4a5eda774fa6038fefac (patch) | |
tree | d0fefa3c0fcc25459b853883a231ced4da15bb9e /doc/integration/kerberos.md | |
parent | 7b87f43b5b0f5e0a9ab28f12d7b539d9c1a53435 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/kerberos.md')
-rw-r--r-- | doc/integration/kerberos.md | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md index 0f9bf3ba1d1..ef19412733f 100644 --- a/doc/integration/kerberos.md +++ b/doc/integration/kerberos.md @@ -9,9 +9,8 @@ info: "To determine the technical writer assigned to the Stage/Group associated GitLab can integrate with [Kerberos](https://web.mit.edu/kerberos/) as an authentication mechanism. WARNING: -GitLab CI/CD does not work with a Kerberos-enabled GitLab instance due to an unresolved -[bug in Git CLI](https://lore.kernel.org/git/YKNVop80H8xSTCjz@coredump.intra.peff.net/T/#mab47fd7dcb61fee651f7cc8710b8edc6f62983d5) -that fails to use job token authentication from the GitLab Runners. +GitLab CI/CD doesn't work with a Kerberos-enabled GitLab instance unless the integration is +[set to use a dedicated port](#http-git-access-with-kerberos-token-passwordless-authentication). ## Overview @@ -235,19 +234,23 @@ know the `libcurl` version installed, run `curl-config --version`. ### HTTP Git access with Kerberos token (passwordless authentication) -#### Support for Git before 2.4 - -Until Git version 2.4, the `git` command uses only the `negotiate` authentication +Because of [a bug in current Git versions](https://lore.kernel.org/git/YKNVop80H8xSTCjz@coredump.intra.peff.net/T/#mab47fd7dcb61fee651f7cc8710b8edc6f62983d5), +the `git` CLI command uses only the `negotiate` authentication method if the HTTP server offers it, even if this method fails (such as when the client does not have a Kerberos token). It is thus not possible to fall back -to username/password (also known as `basic`) authentication if Kerberos +to an embedded username and password (also known as `basic`) authentication if Kerberos authentication fails. For GitLab users to be able to use either `basic` or `negotiate` authentication -with older Git versions, it is possible to offer Kerberos ticket-based +with current Git versions, it is possible to offer Kerberos ticket-based authentication on a different port (for example, `8443`) while the standard port offers only `basic` authentication. +NOTE: +[Git 2.4 and later](https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.0.txt#L225-L228) supports falling back to `basic` authentication if the +username and password is passed interactively or through a credentials manager. It fails to fall back when the username and password is passed as part of the URL instead. For example, +this can happen in GitLab CI/CD jobs that [authenticate with the CI/CD job token](../ci/jobs/ci_job_token.md). + **For source installations with HTTPS** 1. Edit the NGINX configuration file for GitLab |