Problems with LDAP auth in Apache, works only for one group
Posted
by tore-
on Server Fault
See other posts from Server Fault
or by tore-
Published on 2010-03-17T12:30:23Z
Indexed on
2010/03/17
12:31 UTC
Read the original article
Hit count: 451
Hi,
I'm currently publishing some subversions repos within Apache:
<Location /dev/>
DAV svn
SVNPath /opt/svn/repos/dev/
AuthType Basic
AuthName "Subversion repo authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN "CN=readonlyaccount,OU=Objects,DC=invalid,DC=now"
AuthLDAPBindPassword readonlyaccountspassword
AuthLDAPURL "ldap://invalid.domain:389/OU=Objects,DC=invalid,DC=domain?sAMAccountName?sub?(objectClass=*)"
Require ldap-group cn=dev,ou=SVN,DC=invalid,DC=domain
</Location>
This setup works great, but now we want to give an LDAP group read only access to our repo, then my apache config looks like this:
<Location /dev/>
DAV svn
SVNPath /opt/svn/repos/dev/
AuthType Basic
AuthName "Subversion repo authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN "CN=readonlyaccount,OU=Objects,DC=invalid,DC=now"
AuthLDAPBindPassword readonlyaccountspassword
AuthLDAPURL "ldap://invalid.domain:389/OU=Objects,DC=invalid,DC=domain?sAMAccountName?sub?(objectClass=*)"
<Limit OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev-ro,ou=SVN,dc=invalid,dc=domain
</Limit>
<LimitExcept OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev-rw,ou=SVN,dc=invalid,dc=domain
</LimitExcept>
</Location>
All of my user accounts is under: OU=Objects,DC=invalid,DC=domain
All groups related to subversion is under: ou=SVN,dc=invalid,dc=domain
The problem after modification, only users in the dev-ro
LDAP group is able to authenticate.
I know that authentication with LDAP works, since my apache logs show my usernames:
10.1.1.126 - tore [...] "GET /dev/ HTTP/1.1" 200 339 "-" "Mozilla/5.0 (...)"
10.1.1.126 - - [...] "GET /dev/ HTTP/1.1" 401 501 "-" "Mozilla/4.0 (...)"
10.1.1.126 - readonly [...] "GET /dev/ HTTP/1.1" 401 501 "-" "Mozilla/4.0 (...)
- line = user in group
dev-rw
, 2. line is unauthenticated user, 3. line is unauthenticated user, authenticated as a user in groupdev-ro
So I think I've messed up my apache config. Advise?
© Server Fault or respective owner