I am configuring a CollabNet Subversion integration. I have the following collabnet_subversion.conf
file:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=vegibanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
</Location>
This works great. Any user in our Active Directory can access our Subversion repository.
Now, I want to limit this to only people in the Active Directory group Development:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>
I added Require ldap-group
, but now no one can log in. I have LogLevel
set to debug
, but all I get is this in my error_log
(Single line broken up for easier reading):
[Thu Oct 11 13:09:28 2012] [info] [client 10.55.9.45] [6752]
vauth_ldap authenticate: user dweintraub authentication failed;
URI /svn/ [ldap_search_ext_s() for user failed][Bad search filter]
And, I get this in my access_log
:
10.55.9.45 - - [11/Oct/2012:13:09:27 -0500] "GET /svn/ HTTP/1.1" 401 401
10.55.9.45 - dweintraub [11/Oct/2012:13:09:28 -0500] "GET /svn/ HTTP/1.1" 500 535
Yes, I am in that group. (Or, at least how can I confirm that just to make sure that's not the issue. I have the SysinternalsSuite ADExplorer. It's where I'm getting all of my info.)
Best Answer
You did not specify the group's DN correctly, and you can see by the error message. It should probably look like this:
Edit: Since this doesn't seem to be the problem, make sure you have
set, which I assume is correct for your AD environment. These are the defaults in
mod_authnz_ldap
but it can only help to set them explicitly.I don't really have any other ideas, your configuration looks correct. I am only wondering why you had no
Require
directive in your original configuration. But you said it was working so maybe it defaults toRequire valid-user
.Edit 2: Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use
Require ldap-group
along with Subversion's authorization features. This is documented here: https://ctf.open.collab.net/sf/go/artf4917. In our case this was a non-issue since we useAuthzSVNAccessFile
for authorization. TheRequire ldap-group
seems to have simply behaved likeRequire valid-user
.This doesn't really explain to me why you get a "Bad search filter" message, but in order to only allow members of your Development group to access the
/svn
location you should extend theAuthLDAPURL
with a group filter and remove theRequire ldap-group
directive. Since you are using AD you can usememberOf
along these lines:More detail here:
http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417401
https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/FrequentlyAskedQuestions#section-FrequentlyAskedQuestions-HowCanIRestrictLogonToMembersOfAParticularGroup