from svn to git (+ LDAP + password-less updates + passworded access control)

If you still prefer using svn up for live site, read svn help up carefully and pay attention on some options in order to handle credential in the Smart Way

Global options:
  --username ARG           : specify a username ARG
  --password ARG           : specify a password ARG
  --no-auth-cache          : do not cache authentication tokens

We're also thinking to use git-http-backend, and use Apache for authentication, but then do we lose access control?

No, you can setup authentication with ldap almost exactly how you've have used it for SVN. Gitweb and git-http-backend use mod_ldap just like SVN for auth purposes.

Can the live site be automatically updated from a hook if Apache requires authentication?

Git comes with gitweb by default. It's prodominately what's used out there for an online browser for your source code base. You can configure it behind Apache with mod_ldap for auth purposes just like git-http-backend. No hook is required for updating the online browser and repositories listed within. This is all maintained by the cgi, git-http-backend.

Can we combine git-http-backend and gitosis/gitolite somehow?

gitolite is what you want:

https://github.com/sitaramc/gitolite/wiki/

Gitosis is basically depricated:

Ubuntu-server: gitosis user naming convention

Personally, we just use LDAP for user authorization and authentication. You don't really need gitolite for user management if you're using LDAP. You can use any general LDAP user management tool for this. Most linux distributions come with a variety of UI tools for managing openLDAP. If you windows, just use active directory.

Both the default approach (git, gitweb, git-http-backend, LDAP) and gitolite support the following:

• they are not "real" users, as in logins on the physical box hosting (according to how you use LDAP)
• they do not get shell access (according to how you use LDAP)
• control access to many git repositories
• read access controlled at the repo level
• can be installed without root access, assuming git and perl are already installed authentication is most commonly done using sshd, but you can also use httpd if you prefer (this may require root access).

However, if you want that fined-grained user management without LDAP and fit the following criteria, then gitolite might be a better solution:

• use a single unix user ("real" user) on the server
• provide access to many gitolite users
• write access controlled at the branch/tag/file/directory level, including who can rewind, create, and delete branches/tags

From http://sitaramc.github.com/gitolite/index.html#gl_what

Can we store http credentials with git?

Yes, you can store/assign users using git config:

git config --global user.name "Foo Bar"
git config --global user.email "[email protected]"
git config --global user.password "yourpassword"
git config --global github.user "yourusername"
git config --global github.password "yourpassword"

Although, if you use it with SSH, make sure you're using CA certificates and not a self-signed. Git has this weird hack, sslVerify=false, to make it work with self-signed certs, which kindof seems to defeat the purpose of using certs.

When you go to migrate code from svn to git, you will need a good import tool. I couldn't find any that worked well for large repositories so I wrote my own. Feel free to experiment if you encounter issues with git-svn:

https://github.com/onepremise/SGMS