Is there a way to authorize user via ldap on a git repository? Or phrased slightly differently: Is there a way to deny people pull/push if they are not in a specific ldap group?
Edit: Yes, great idea using PAM and/or a hook. Does anyone have experience using git in combination with pam_ldap?
Should work:
Access git repos over SSH using standard logins (nothing unusual here).
Make your git repos have access permissions for a certain group, which particular logins have membership of.
Use pam-ldap to make your standard login system work with LDAP.
If there's a more specific way, that JUST checks ldap without affecting the rest of your system? I don't know, but it's probably possible with a pre-commit hook, or something like that.
You can use update or pre-receive hook to do additional access control; see update-paranoid (in Perl) from contrib/hooks/ for an example (it doesn't uses LDAP, but you can always modify it to use it, using for example DBI via DBD::LDAP to store permission configuration, or Authen::Simple::LDAP directly).
It might be possible to enhance tools such like gitosis (in Python) or gitolite, which are used to access git repositories via SSH without requiring to set up (perhaps limited) separate shell account for each user, to use LDAP for authentication.