I am evaluating the possibilities of moving my organisation to Mercurial, however I am stumbling on two basic requirements which I can't find proper pointers to.
How do I set up Mercurial's central repository to authenticate users with the central Active Directory and only allow them to push or pull if they have the right credentials?
How do I set up a Mercurial project repository to only allow users pertaining to a specific group to push/pull source code? We need this to have per-project authorisation.
On which HTTP servers (IIS or Apache etc.) are the above two requirements supported?
Apologies if I am asking something obvious or if I am missing something fundamental about how authentication and authorisation works.
I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
http://www.endswithsaurus.com/2010/05/setting-up-and-configuring-mercurial-in.html
I hope it's useful to people...
You can do it with Apache. Check how to restrict pushing in Apache at:
http://mercurial.selenic.com/wiki/PublishingRepositories#pushing
Seem above on the same file on how to configure mercurial, its permissions and all users allowed by Apache.
After you've setup mercurial and Apache, you can use mod_authnz_ldap to only allow access to Active Directory users:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
Don't forget to check the paragraph on Active Directory configuration.
That should be enough for you.
Best of luck,
João Miguel Neves