Apache HTTPD – Apache HTTPD LDAP Integration

apache-2.2httpdhttpd.confldapsvn

I am configuring a CollabNet Subversion integration. I have the following collabnet_subversion.conf file:

<Location /svn>
  DAV svn
  SVNParentPath /mnt/svn/new_repos
  SVNListParentPath on
  AuthName "VegiBanc Source Repository"
  AuthType basic
  AuthzLDAPAuthoritative off
  AuthBasicProvider ldap
  AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
  AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=vegibanc,DC=vegibanc,DC=com"
  AuthLDAPBindPassword "swordfish"
</Location>

This works great. Any user in our Active Directory can access our Subversion repository.

Now, I want to limit this to only people in the Active Directory group Development:

<Location /svn>
  DAV svn
  SVNParentPath /mnt/svn/new_repos
  SVNListParentPath on
  AuthName "VegiBanc Source Repository"
  AuthType basic
  AuthzLDAPAuthoritative off
  AuthBasicProvider ldap
  AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
  AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
  AuthLDAPBindPassword "swordfish"
  Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>

I added Require ldap-group, but now no one can log in. I have LogLevel set to debug, but all I get is this in my error_log (Single line broken up for easier reading):

[Thu Oct 11 13:09:28 2012] [info] [client 10.55.9.45] [6752] 
    vauth_ldap authenticate: user dweintraub authentication failed;
    URI /svn/ [ldap_search_ext_s() for user failed][Bad search filter]

And, I get this in my access_log:

10.55.9.45 - - [11/Oct/2012:13:09:27 -0500] "GET /svn/ HTTP/1.1" 401 401
10.55.9.45 - dweintraub [11/Oct/2012:13:09:28 -0500] "GET /svn/ HTTP/1.1" 500 535

Yes, I am in that group. (Or, at least how can I confirm that just to make sure that's not the issue. I have the SysinternalsSuite ADExplorer. It's where I'm getting all of my info.)

Best Answer

You did not specify the group's DN correctly, and you can see by the error message. It should probably look like this:

Require ldap-group CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com

Edit: Since this doesn't seem to be the problem, make sure you have

AuthLDAPGroupAttribute member uniquemember
AuthLDAPGroupAttributeIsDN on

set, which I assume is correct for your AD environment. These are the defaults in mod_authnz_ldap but it can only help to set them explicitly.

I don't really have any other ideas, your configuration looks correct. I am only wondering why you had no Require directive in your original configuration. But you said it was working so maybe it defaults to Require valid-user.

Edit 2: Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features. This is documented here: https://ctf.open.collab.net/sf/go/artf4917. In our case this was a non-issue since we use AuthzSVNAccessFile for authorization. The Require ldap-group seems to have simply behaved like Require valid-user.

This doesn't really explain to me why you get a "Bad search filter" message, but in order to only allow members of your Development group to access the /svn location you should extend the AuthLDAPURL with a group filter and remove the Require ldap-group directive. Since you are using AD you can use memberOf along these lines:

AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName?sub?(&(objectCategory=person)(memberOf=CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com)) NONE

More detail here:

http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417401

https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/FrequentlyAskedQuestions#section-FrequentlyAskedQuestions-HowCanIRestrictLogonToMembersOfAParticularGroup

Related Topic