Apache httpd LDAP integration
Solution 1
You did not specify the group's DN correctly, and you can see by the error message. It should probably look like this:
Require ldap-group CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com
Edit: Since this doesn't seem to be the problem, make sure you have
AuthLDAPGroupAttribute member uniquemember
AuthLDAPGroupAttributeIsDN on
set, which I assume is correct for your AD environment. These are the defaults in mod_authnz_ldap
but it can only help to set them explicitly.
I don't really have any other ideas, your configuration looks correct. I am only wondering why you had no Require
directive in your original configuration. But you said it was working so maybe it defaults to Require valid-user
.
Edit 2: Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group
along with Subversion's authorization features. This is documented here: https://ctf.open.collab.net/sf/go/artf4917. In our case this was a non-issue since we use AuthzSVNAccessFile
for authorization. The Require ldap-group
seems to have simply behaved like Require valid-user
.
This doesn't really explain to me why you get a "Bad search filter" message, but in order to only allow members of your Development group to access the /svn
location you should extend the AuthLDAPURL
with a group filter and remove the Require ldap-group
directive. Since you are using AD you can use memberOf
along these lines:
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName?sub?(&(objectCategory=person)(memberOf=CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com)) NONE
More detail here:
http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417401
Solution 2
I'm giving this to daff anyway because his links lead me to the actual issue. I couldn't get the filtering to work like daff suggested, but I did find the problem.
The statement that lead me to the solution was:
Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features.
Several links daff suggested commented on this and offered no solution except to use filtering which I couldn't seem to get to work.
I then decided to look at http.conf
which Collabnet provided. And here's what I saw:
#LoadModule python_module opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module opt/CollabNet_Subversion/modules/mod_dav_svn.so
LoadModule authz_svn_module opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module opt/CollabNet_Subversion/modules/mod_dontdothat.so
Ah! They're loading authz_svn_module
! I simply disabled it:
#LoadModule python_module opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module opt/CollabNet_Subversion/modules/mod_dav_svn.so
#LoadModule authz_svn_module opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module opt/CollabNet_Subversion/modules/mod_dontdothat.so
And then went back to my ___original____ configuration in collabnet_subversion.conf
:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>
And, it now worked like a charm!
Thanks daff for your help. I think my issue with the filter is that I needed Require valid-user
and I hadn't put that in, but this does now work.
Related videos on Youtube
David W.
Updated on September 18, 2022Comments
-
David W. over 1 year
I am configuring a CollabNet Subversion integration. I have the following
collabnet_subversion.conf
file:<Location /svn> DAV svn SVNParentPath /mnt/svn/new_repos SVNListParentPath on AuthName "VegiBanc Source Repository" AuthType basic AuthzLDAPAuthoritative off AuthBasicProvider ldap AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=vegibanc,DC=vegibanc,DC=com" AuthLDAPBindPassword "swordfish" </Location>
This works great. Any user in our Active Directory can access our Subversion repository.
Now, I want to limit this to only people in the Active Directory group Development:
<Location /svn> DAV svn SVNParentPath /mnt/svn/new_repos SVNListParentPath on AuthName "VegiBanc Source Repository" AuthType basic AuthzLDAPAuthoritative off AuthBasicProvider ldap AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com" AuthLDAPBindPassword "swordfish" Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com </Location>
I added
Require ldap-group
, but now no one can log in. I haveLogLevel
set todebug
, but all I get is this in myerror_log
(Single line broken up for easier reading):[Thu Oct 11 13:09:28 2012] [info] [client 10.55.9.45] [6752] vauth_ldap authenticate: user dweintraub authentication failed; URI /svn/ [ldap_search_ext_s() for user failed][Bad search filter]
And, I get this in my
access_log
:10.55.9.45 - - [11/Oct/2012:13:09:27 -0500] "GET /svn/ HTTP/1.1" 401 401 10.55.9.45 - dweintraub [11/Oct/2012:13:09:28 -0500] "GET /svn/ HTTP/1.1" 500 535
Yes, I am in that group. (Or, at least how can I confirm that just to make sure that's not the issue. I have the SysinternalsSuite ADExplorer. It's where I'm getting all of my info.)
-
bahrep over 11 yearsLooks similar but there is no "Bad search filter" on the error log: stackoverflow.com/questions/3178051/… did you try any steps from there?
-
-
David W. over 11 yearsSorry, missed two commas in the
Require ldap-group
. I had to edit what I was doing in order to hide proprietary information. (Hint: Password isn't really swordfish). However, the official Apache documentation for Require ldap-group specifically states "Do not surround the group name with quotes". I copied the LDAP group directly from ADExplorer, so I know it's correct. -
daff over 11 yearsRight, sorry about the quotes. I'll update my answer with something else you could try.
-
David W. over 11 yearsThanks. It looks like this is an issue with CollabNet's Subversion package. Previously, I've either used the native package or rolled my own. It looks like the way they've compiled Apache, it forces to use SVN's authz. I'll try the filter to see if it works.
-
David W. over 11 yearsOkay, I found a solution. It's not what you recommended, but your explanation and links lead me to this solution. I tried the filtering, but it didn't seem to work. Probably because I didn't have the
Require valid-user
line.