Ldap – Subversion LDAP Configuration

authenticationcollabnetldapsvn

I am configuring a subversion repository to use basic LDAP authentication. I have an entry in my http.conf file that looks like this:

<Location /company/some/location>
DAV svn
SVNPath /repository/some/location
AuthType Basic
AuthName LDAP
AuthBasicProvider ldap
Require valid-user
AuthLDAPBindDN "cn=SubversionAdmin,ou=admins,o=company.com"
AuthLDAPBindPassword "XXXXXXX"
AuthLDAPURL "ldap://company.com/ou=people,o=company.com?personid"
</Location>

This works fine for living, breathing people who need to log in. However, I also need to provide application accounts access to the repository. These accounts are in a different OU. Do I need to add a whole new <location> element, or can I add a second AuthLDAPURLto the existing entry?

Best Answer

You can use mod_authn_alias to create aliases for your providers. There was an example in this question for pretty much exactly the same use case:

<AuthnProviderAlias ldap alpha>
  AuthLDAPBindDN "CN=Subversion,OU=Service Accounts,O=Alpha"
  AuthLDAPBindPassword [[REDACTED]]
  AuthLDAPURL ldap://dc01.alpha:3268/?sAMAccountName?sub?
</AuthnProviderAlias>

<AuthnProviderAlias ldap beta>
  AuthLDAPBindDN "CN=LDAPAuth,OU=Service Accounts,O=Beta"
  AuthLDAPBindPassword [[REDACTED]]
  AuthLDAPURL ldap://ldap.beta:3268/?sAMAccountName?sub?
</AuthnProviderAlias>

# Subversion Repository
<Location /svn>
  DAV svn
  SVNPath /opt/svn/repo
  AuthName "Subversion"
  AuthType Basic
  AuthBasicProvider alpha beta
  AuthzLDAPAuthoritative off
  AuthzSVNAccessFile /opt/svn/authz
  require valid-user
</Location>

Related Solutions

Svn – How Do I Restrict Repository Access via WebSVN

The issue is probably relating to the splitting of configuration between two location directives, but I'm not sure.

Rather than defining permissions in two places (apache config and the authz file), just define them in the authz file. Like so:

httpd.conf

<Location /svn>
  DAV svn
  SVNParentPath /var/lib/svn/repository

  Require valid-user
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /path/to/.htpasswd

  SVNPathAuthz on
  AuthzSVNAccessFile /path/to/svn.authz
</Location>

svn.authz

[groups]
sysadmins = joebloggs jimsmith mickmurphy

# By default, nobody has any permissions
[/]
* = 

# sysadmins get access to the sysadmin repository
[sysadmin:/]
@sysadmins = rw

You would need the appropriate users in the htpasswd file too, obviously.

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Your 'Require' line reads

Require ldap-group cn=CHANGED, cn=CHANGED

That doesn't look write - I don't believe you can have have two cn's in a DN like that.

Best Answer

Related Solutions

Svn – How Do I Restrict Repository Access via WebSVN

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Related Topic