GIT, SSH, and GIT-SHELL

I've made a solution using LDAP, OpenSSH (>4.9) and git-shell.

OpenSSH's ForceCommand is perfect for the job. Consider the following configuration (everyone except admins have to use git-shell):

Match group *,!admin    
    ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"

Access control is defined using ACL-s and reponame access groups.

setfacl -bR -m default:group:$REPONAME:rwX -m group:$REPONAME:rwX $GITROOT/$REPONAME
setfacl -R -m default:group:$REPONAME-ro:r-X -m group:$REPONAME-ro:r-X $GITROOT/$REPONAME

Don't forget to run "nscd -i group", after each change.

Andor