SVN Authentication with LDAP and Active Directory
Solution 1
Set REFERRALS off in the server /etc/ldap/ldap.conf and try again.
And try adding "NONE" to the URL line:
AuthLDAPURL "ldap://192.168.1.6:389/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
Try ldapsearch. Do an .ldaprc in your home directory with this:
HOST 192.168.1.6
BASE DC=domain,DC=local
BINDDN CN=adminuser,OU=SBSAdmin Users,OU=Users,OU=MyBusiness,DC=domain,DC=local
Use it:
ldapsearch -D "CN=adminuser,OU=SBSAdmin Users,OU=Users,OU=MyBusiness,DC=domain,DC=local" -W sAMAccountName=user
It will ask for the BindDN password.
Solution 2
Diego gets the points as it finally led me to get it working. It may have been a case of changing the order of the params in my virtualhost, but this is what worked for me. I also copied the admin user DN directly from an LDAP GUI tool to ensure I had the correct bind details:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerAlias svn.domain.local
ServerName svn.domain.local
DocumentRoot /var/www/svn/
<Location />
DAV svn
SVNParentPath /var/local/svn/
SVNListParentPath On
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "SVN Server"
AuthLDAPURL "ldap://192.168.1.6:389/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
AUTHLDAPBindDN "CN=admin,OU=Admin Users,OU=Users,OU=MyBusiness,DC=domain,DC=local"
AuthLDAPBindPassword ######
require valid-user
</Location>
</VirtualHost>
Hope that helps someone else out!
Solution 3
It may not directly answer your question, but did you consider to use Subversion Edge? It is free to use (AGPLv3 license).
As you can see in this screenshot it is quite simple to setup LDAP integration. You can even install the SSPI module though this requires some manual work.
Related videos on Youtube
03 : 19
11 : 17
43 : 35
05 : 26
09 : 28
Comments
-
Alexander Holsgrove over 1 year
I am having a few problems getting SVN authentication to work with LDAP / Active Directory. My SVN installation works fine, but after enabling LDAP in my apache vhost, I just can't get my users to authenticate.
I can use a selection of LDAP browsers to successfully connect to Active Directory, but just can't seem to get this to work.
- SVN is setup in /var/local/svn
- Server is svn.domain.local
- For testing, my repository is /var/local/svn/test
My vhost file is as follows:
<VirtualHost *:80> ServerAdmin [email protected] ServerAlias svn.domain.local ServerName svn.domain.local DocumentRoot /var/www/svn/ <Location /test> DAV svn #SVNListParentPath On SVNPath /var/local/svn/test AuthzSVNAccessFile /var/local/svn/svnaccess AuthzLDAPAuthoritative off AuthType Basic AuthName "SVN Server" AuthBasicProvider ldap AuthLDAPBindDN "CN=adminuser,OU=SBSAdmin Users,OU=Users,OU=MyBusiness,DC=domain,DC=local" AuthLDAPBindPassword "admin password" AuthLDAPURL "ldap://192.168.1.6:389/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)" Require valid-user </Location> CustomLog /var/log/apache2/svn/access.log combined ErrorLog /var/log/apache2/svn/error.log </VirtualHost>In my error.log, I don't seem to get any bind errors (should I be looking elsewhere?), but just the following:
[Thu Jun 21 09:51:38 2012] [error] [client 192.168.1.142] user alex: authentication failure for "/test/": Password Mismatch, referer: http://svn.domain.local/test/At the end of "AuthLDAPURL", I have seen people using TLS and NONE but neither seem to help in my case.
I have the ldap modules loaded and have checked as much as I know, so any help would be most welcome. Thanks
-
Alexander Holsgrove almost 12 yearsAfraid that doesn't seem to work. I get the same "authentication failure" messages in /var/log/apache2/svn/error.log - I'm certain that my password is correct, and my username is "alexh" and not "[email protected]". Is there a way to get a more verbose output?
-
Alexander Holsgrove almost 12 yearsWould I be able to use this ldapsearch tool to confirm that I can connect? I've struggled to understand what parameters to pass to it.
-
Diego Fernández Durán almost 12 yearsI've updated the solution with information about ldapsearch.
-
Alexander Holsgrove almost 12 yearsThanks Diego. I created the .ldaprc file in /home/user and then ran the ldapsearch. It gave me: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1). I also tried this command and it seemed to work: ldapsearch -x -b "dc=domain,dc=local" -D "domain\adminuser" -h 192.168.1.6 -p 389 -W - does that tell you anything?
-
Alexander Holsgrove almost 12 yearsOK, I made changes to my /etc/ldap/ldap.conf file and ran ldapsearch -x and it gave a bind error (LDAPv3) - error was "In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1"
-
Diego Fernández Durán almost 12 yearsAre you sure the binding credentials are OK? Active Directory is a little stubborn and wants the full BINDDN token.
-
Alexander Holsgrove almost 12 yearsEdit: Looks like that test of yours works where I specify ldapsearch -D. So, the next step would be to get that working as part of SVN in the vhosts file. I'll test again
-
Alexander Holsgrove almost 12 yearsI enabled debug logging and this is the apache error.log: [Thu Jun 21 15:52:09 2012] [debug] mod_authnz_ldap.c(403): [client 192.168.1.142] [7066] auth_ldap authenticate: using URL ldap://192.168.1.6:389/OU=Users,OU=MyBusiness,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*) [Thu Jun 21 15:52:09 2012] [info] [client 192.168.1.142] [7066] auth_ldap authenticate: user alexh authentication failed; URI /test/ [LDAP: ldap_simple_bind_s() failed][Invalid credentials] [Thu Jun 21 15:52:09 2012] [error] [client 192.168.1.142] user alexh: authentication failure for "/test/": Password Mismatch
-
Alexander Holsgrove almost 12 yearsDoes it matter that the bind user, and the user that needs to login are in different OUs? My structure is DC->Users then I have SBSAdmin Users SBSUsers as 2 different OUs within the Users OU. This is so frustrating as I bet it's something really simple!
-
Diego Fernández Durán almost 12 yearsRecheck the binding credentials and use the full BindDN. In the AuthLDAPURL use only the domain: AuthLDAPURL "ldap://192.168.1.6:389/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
-
Alexander Holsgrove almost 12 yearsI'm afraid is still not letting me in. I've tried several different attempts as the BindDN (username, [email protected], CN=username....) but none seem to work. The error log still seems to give me Invalid Credentials / Password Mismatch. Is this just an authentication problem (I thought if the BindDN was wrong - I would get a bind error and not a user login error) - or perhaps something else?
-
Alexander Holsgrove almost 12 yearsCan anyone help further please?
-
Alexander Holsgrove almost 12 yearsThanks Stefan, I'm open to alternatives, and I will give Subversion Edge a go. I'd still like to find an answer to my specific problem as well, as I have seen others with similar problems. Thanks again
