Apache httpd LDAP integration

apache-2.2 svn ldap httpd httpd.conf
9,780

Solution 1

You did not specify the group's DN correctly, and you can see by the error message. It should probably look like this:

Require ldap-group CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com

Edit: Since this doesn't seem to be the problem, make sure you have

AuthLDAPGroupAttribute member uniquemember
AuthLDAPGroupAttributeIsDN on

set, which I assume is correct for your AD environment. These are the defaults in mod_authnz_ldap but it can only help to set them explicitly.

I don't really have any other ideas, your configuration looks correct. I am only wondering why you had no Require directive in your original configuration. But you said it was working so maybe it defaults to Require valid-user.

Edit 2: Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features. This is documented here: https://ctf.open.collab.net/sf/go/artf4917. In our case this was a non-issue since we use AuthzSVNAccessFile for authorization. The Require ldap-group seems to have simply behaved like Require valid-user.

This doesn't really explain to me why you get a "Bad search filter" message, but in order to only allow members of your Development group to access the /svn location you should extend the AuthLDAPURL with a group filter and remove the Require ldap-group directive. Since you are using AD you can use memberOf along these lines:

AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName?sub?(&(objectCategory=person)(memberOf=CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com)) NONE

More detail here:

http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417401

https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/FrequentlyAskedQuestions#section-FrequentlyAskedQuestions-HowCanIRestrictLogonToMembersOfAParticularGroup

Solution 2

I'm giving this to daff anyway because his links lead me to the actual issue. I couldn't get the filtering to work like daff suggested, but I did find the problem.

The statement that lead me to the solution was:

Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features.

Several links daff suggested commented on this and offered no solution except to use filtering which I couldn't seem to get to work.

I then decided to look at http.conf which Collabnet provided. And here's what I saw:

#LoadModule python_module      opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module     opt/CollabNet_Subversion/modules/mod_dav_svn.so
LoadModule authz_svn_module   opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module  opt/CollabNet_Subversion/modules/mod_dontdothat.so

Ah! They're loading authz_svn_module! I simply disabled it:

#LoadModule python_module      opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module     opt/CollabNet_Subversion/modules/mod_dav_svn.so
#LoadModule authz_svn_module   opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module  opt/CollabNet_Subversion/modules/mod_dontdothat.so

And then went back to my ___original____ configuration in collabnet_subversion.conf:

<Location /svn>
  DAV svn
  SVNParentPath /mnt/svn/new_repos
  SVNListParentPath on
  AuthName "VegiBanc Source Repository"
  AuthType basic
  AuthzLDAPAuthoritative off
  AuthBasicProvider ldap
  AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
  AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
  AuthLDAPBindPassword "swordfish"
  Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>

And, it now worked like a charm!

Thanks daff for your help. I think my issue with the filter is that I needed Require valid-user and I hadn't put that in, but this does now work.

Share:
9,780

Related videos on Youtube

David W.
Author by

David W.

Updated on September 18, 2022

Comments

  • David W.
    David W. over 1 year

    I am configuring a CollabNet Subversion integration. I have the following collabnet_subversion.conf file:

    <Location /svn>
  DAV svn
  SVNParentPath /mnt/svn/new_repos
  SVNListParentPath on
  AuthName "VegiBanc Source Repository"
  AuthType basic
  AuthzLDAPAuthoritative off
  AuthBasicProvider ldap
  AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
  AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=vegibanc,DC=vegibanc,DC=com"
  AuthLDAPBindPassword "swordfish"
</Location>

    This works great. Any user in our Active Directory can access our Subversion repository.

    Now, I want to limit this to only people in the Active Directory group Development:

    <Location /svn>
  DAV svn
  SVNParentPath /mnt/svn/new_repos
  SVNListParentPath on
  AuthName "VegiBanc Source Repository"
  AuthType basic
  AuthzLDAPAuthoritative off
  AuthBasicProvider ldap
  AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
  AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
  AuthLDAPBindPassword "swordfish"
  Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>

    I added Require ldap-group, but now no one can log in. I have LogLevel set to debug, but all I get is this in my error_log (Single line broken up for easier reading):

    [Thu Oct 11 13:09:28 2012] [info] [client 10.55.9.45] [6752] 
    vauth_ldap authenticate: user dweintraub authentication failed;
    URI /svn/ [ldap_search_ext_s() for user failed][Bad search filter]

    And, I get this in my access_log:

    10.55.9.45 - - [11/Oct/2012:13:09:27 -0500] "GET /svn/ HTTP/1.1" 401 401
10.55.9.45 - dweintraub [11/Oct/2012:13:09:28 -0500] "GET /svn/ HTTP/1.1" 500 535

    Yes, I am in that group. (Or, at least how can I confirm that just to make sure that's not the issue. I have the SysinternalsSuite ADExplorer. It's where I'm getting all of my info.)

  • David W.
    David W. over 11 years
    Sorry, missed two commas in the Require ldap-group. I had to edit what I was doing in order to hide proprietary information. (Hint: Password isn't really swordfish). However, the official Apache documentation for Require ldap-group specifically states "Do not surround the group name with quotes". I copied the LDAP group directly from ADExplorer, so I know it's correct.
  • daff
    daff over 11 years
    Right, sorry about the quotes. I'll update my answer with something else you could try.
  • David W.
    David W. over 11 years
    Thanks. It looks like this is an issue with CollabNet's Subversion package. Previously, I've either used the native package or rolled my own. It looks like the way they've compiled Apache, it forces to use SVN's authz. I'll try the filter to see if it works.
  • David W.
    David W. over 11 years
    Okay, I found a solution. It's not what you recommended, but your explanation and links lead me to this solution. I tried the filtering, but it didn't seem to work. Probably because I didn't have the Require valid-user line.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add /home/user/public_html as virtual host in apache - centos
'txn-current-lock': Permission denied [500, #13] - Subversion + Apache Configuration Issue
What is bottleneck of my Apache server?
how to set any browser to no keep alive in apache httpd.conf
Apache 500 error with no entries in error.log
httpd command line not recognized
subversion on apache - checkout failed: 405 Method Not Allowed
How to redirect HTTP post request
How can I configure Apache to use more of my CPU?
Apache HTTPd - rotatelogs not working