Problems with LDAP auth in Apache, works only for one group

Posted by tore- on Server Fault See other posts from Server Fault or by tore-
Published on 2010-03-17T12:30:23Z Indexed on 2010/03/17 12:31 UTC
Read the original article Hit count: 447

Filed under:
|
|
|
|

Hi,

I'm currently publishing some subversions repos within Apache:

<Location /dev/>
DAV svn
SVNPath /opt/svn/repos/dev/

AuthType Basic
AuthName "Subversion repo authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN "CN=readonlyaccount,OU=Objects,DC=invalid,DC=now"
AuthLDAPBindPassword readonlyaccountspassword
AuthLDAPURL "ldap://invalid.domain:389/OU=Objects,DC=invalid,DC=domain?sAMAccountName?sub?(objectClass=*)"
Require ldap-group cn=dev,ou=SVN,DC=invalid,DC=domain

</Location>

This setup works great, but now we want to give an LDAP group read only access to our repo, then my apache config looks like this:

<Location /dev/>
DAV svn
SVNPath /opt/svn/repos/dev/

AuthType Basic
AuthName "Subversion repo authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN "CN=readonlyaccount,OU=Objects,DC=invalid,DC=now"
AuthLDAPBindPassword readonlyaccountspassword
AuthLDAPURL "ldap://invalid.domain:389/OU=Objects,DC=invalid,DC=domain?sAMAccountName?sub?(objectClass=*)"

<Limit OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev-ro,ou=SVN,dc=invalid,dc=domain
</Limit>

<LimitExcept OPTIONS PROPFIND GET REPORT>
Require ldap-group cn=dev-rw,ou=SVN,dc=invalid,dc=domain
</LimitExcept>

</Location>

All of my user accounts is under: OU=Objects,DC=invalid,DC=domain
All groups related to subversion is under: ou=SVN,dc=invalid,dc=domain

The problem after modification, only users in the dev-ro LDAP group is able to authenticate.

I know that authentication with LDAP works, since my apache logs show my usernames:
10.1.1.126 - tore [...] "GET /dev/ HTTP/1.1" 200 339 "-" "Mozilla/5.0 (...)"
10.1.1.126 - - [...] "GET /dev/ HTTP/1.1" 401 501 "-" "Mozilla/4.0 (...)"
10.1.1.126 - readonly [...] "GET /dev/ HTTP/1.1" 401 501 "-" "Mozilla/4.0 (...)

  1. line = user in group dev-rw, 2. line is unauthenticated user, 3. line is unauthenticated user, authenticated as a user in group dev-ro

So I think I've messed up my apache config. Advise?

© Server Fault or respective owner

Related posts about ldap

Related posts about apache