Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

svn active-directory apache2 ldap apache
34,713

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

Share:
34,713
David W.
Author by

David W.

Updated on August 16, 2020

Comments

  • David W.
    David W. over 3 years

    I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

    What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

    The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM) 

    CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

    and the members of the group are in this record like this:

    member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

    If you look up my record in LDAP, you'll see:

    memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

    What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

    I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

    Which reminds me, can anyone recommend a good Apache book?

    • khmarbaise
      khmarbaise about 13 years
      Have you checked the alias definition for the access file in Subversion? svnbook.red-bean.com/nightly/en/… (look for [aliases])
    • David W.
      David W. about 13 years
      That would mean I have to modify my Subversion configuration every time a new employee comes or goes. I want to pass this task off onto our Windows administrator who has to set this up anyway. Whenever we get a new employee, and that employee is a member of this group, they have Subversion access. When that employee leaves, they no longer have Subversion access.
    • Stasik
      Stasik over 12 years
      jbruni, could you please post an example of an ldap-group DN?
  • David W.
    David W. about 13 years
    Thanks for the help. I haven't had time to try it out yet, but I can see what I was doing wrong. I didn't have that ?sAMAccountName on the end of my AuthLDAPURL. Are there any good books on Apache httpd?
  • jbruni
    jbruni about 13 years
    I'd start with the O'Reilly books. They're always good. Unfortunately, it looks like Definitive Guide (3rd edition) is based on apache 2.0. It should be enough to get you started.
  • Kalpesh Soni
    Kalpesh Soni over 11 years
    everything works form me except for require-group part, I am also using mod_dav_svn and file as provider, svn access file allows me to make some directories readonly for some users, I want to make sure that my entire repo is available to only one AD group, cant get that part to work

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
SVN + SASL + ActiveDirectory: How to
LDAP Authentication fails with 500 or 401 depending on bind for Apache2
SVN Authentication with LDAP and Active Directory
How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?
How to configure SVN web access for different write permissions?
What are the other alternative to test a LDAP connection on linux machine
How to retrieve DirectoryEntry from a DirectoryEntry and a DN
LDAP Error "User Name Not Found"
LDAP: How to add a new user to a group inside an OU