Mercurial (hg) with active directory

Solution 1:

Well, I started with this tutorial.

After I've finished that I made the following additional changes on the server (Windows 2008):

  • Configured IIS to use SSL;
  • Disabled anonymous authentication for the site;
  • Enabled Basic and Windows authentication for the site;
  • Configured NTFS permissions on the repository folder.

Also need to add the following lines to your repository's .hg\hgrc file:

On the client-side I had to explicitly specify username and password.

allow_push = *

Solution 2:

If you're looking for some integrated system that can work on windows, unix, and authenticate to AD/LDAP try out RhodeCode It's kind of local instance of bitbucket/github that serves repositories. It comes with permission system and easy user management, code review etc.

Solution 3:

I wrote a 4 part blog post a couple of months back that allows you to use Active Directory/IIS to host Mercurial's web server. It works a treat:

It walks you through:

  • Set up of Mercurial within IIS
  • Configuring the ISAPI extensions for Python
  • ISAPI rewrite to hide ugly URLs
  • Configuration of security privileges using Active Directory
  • Customization of the web UI

Solution 4:

Ben already gave you a good guide for setting up Mercurial on IIS with AD.

I would just like to add, that the key thing you need to know is that the built-in (Fast)CGI script in Mercurial does not authenticate users. The CGI script we supply relies on a front-end webserver to do the authentication. So you must setup Apache, IIS, nginx, ... to do authentication before they invoke the script. (However, you can use the excellent RhodeCode if you want a Bitbucket-like system with LDAP support that you can hook up to AD too.)

This separation of concerns makes Mercurial very flexible: if you want Active Directory authentication, then you just use the standard plugin for your webserver to do that. Many sites will already have this setup and so Mercurial will "just work" :-)

So Mercurial never checks any passwords — the authentication part. But it can do authorization, meaning that it can allow or forbid users from pushing or pulling, etc. This is done based on the username stored in the standard REMOTE_USER CGI variable. It is up to the webserver to set this variable after it has authenticated the remote user.

In Mercurial, the username is matched against the allow_push and allow_read lists in the [web] section to determine if the user is allowed to push or pull/clone the repository in question. This can of course be configured on a per-repository basis by editing the .hg\hgrc files in each repository.