Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

apache/subversion with ldap

83 views
Skip to first unread message

hhding

unread,
Jan 24, 2008, 5:30:18 AM1/24/08
to
hi, my friends

I try to verify access of svn user from apache by openldap.
I create userA and userB with schema posixAccount
and create groupA with schema posixGroups in openldap and add userA to it.
then I add line *Require group cn=groupA,dc=my* to apache's config file.
but, both userA and userB can login to subversion. why?

below is the version I use :
apache2 Version: 2.2.6-3
slapd Version: 2.3.38-1
libapache2-svn 1.4.4dfsg1-1

and attachements are complete config files

my.ldif
dav_svn.conf
dav_svn.authz

Martin Marcher

unread,
Jan 24, 2008, 3:40:12 PM1/24/08
to
On Thursday 24 January 2008 11:26 hhding wrote:

> hi, my friends
>
> I try to verify access of svn user from apache by openldap.
> I create userA and userB with schema posixAccount
> and create groupA with schema posixGroups in openldap and add userA to it.
> then I add line *Require group cn=groupA,dc=my* to apache's config file.

require ldap-gorup cn=.....
require ldap-user ......

> below is the version I use :
> apache2 Version: 2.2.6-3

from what I remember this the debian/etch version right?

> slapd Version: 2.3.38-1
> libapache2-svn 1.4.4dfsg1-1
>
> and attachements are complete config files

please don't do attachements. They aren't visible everywhere, for me they
just vanished as my primary interface to the ML is gmane.org

hope it helps
martin


--
http://noneisyours.marcher.name
http://feeds.feedburner.com/NoneIsYours

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Martin Marcher

unread,
Jan 24, 2008, 5:30:10 PM1/24/08
to
On Thursday 24 January 2008 21:31 Martin Marcher wrote:

> On Thursday 24 January 2008 11:26 hhding wrote:
>> and attachements are complete config files
>
> please don't do attachements. They aren't visible everywhere, for me they
> just vanished as my primary interface to the ML is gmane.org

now _that_ statemant was absolute b******** - I was just to dumb to see the
attachements.

anyway, the ldap-group ldap-user should be the solution,

/martin...

hhding

unread,
Jan 24, 2008, 7:20:07 PM1/24/08
to
Thanks for your advice :)
Here is the config file, I take your advice and change Require group to
Require ldap-group, but it does not work.

::::::::::::::
/etc/apache2/mods-enabled/dav_svn.conf
::::::::::::::
<Location /svn>

DAV svn

SVNPath /var/lib/svn
AuthType basic
AuthName "SVN"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://localhost:389/dc=my?uid
Require ldap-group cn=groupA,dc=my

AuthzSVNAccessFile /etc/apache2/dav_svn.authz
</Location>
::::::::::::::
/etc/apache2/dav_svn.authz
::::::::::::::
[/]
* = r
::::::::::::::
my.ldif
::::::::::::::
dn: dc=my
objectClass: dcObject
objectClass: organization
o: Example Company
dc: my

dn: cn=admin,dc=my
objectClass: organizationalRole
cn: admin

dn: uid=userA,dc=my
objectClass: top
objectClass: posixAccount
objectClass: account
cn: userA
uid: userA
uidNumber: 1
gidNumber: 1
homeDirectory: /home/userA
userPassword: 1

dn: uid=userB,dc=my
objectClass: top
objectClass: posixAccount
objectClass: account
cn: userB
uid: userB
uidNumber: 2
gidNumber: 2
homeDirectory: /home/userB
userPassword: 1

dn: cn=groupA,dc=my
objectClass: top
objectClass: posixGroup
cn: groupA
gidNumber: 1
memberUid: userA

Martin Marcher wrote:
> On Thursday 24 January 2008 21:31 Martin Marcher wrote:
>
>
>> On Thursday 24 January 2008 11:26 hhding wrote:
>>
>>> and attachements are complete config files
>>>
>> please don't do attachements. They aren't visible everywhere, for me they
>> just vanished as my primary interface to the ML is gmane.org
>>
>
> now _that_ statemant was absolute b******** - I was just to dumb to see the
> attachements.
>
> anyway, the ldap-group ldap-user should be the solution,
>
> /martin...
>
>


--

Martin Marcher

unread,
Jan 25, 2008, 5:20:09 AM1/25/08
to
hhding wrote:

> Thanks for your advice :)
> Here is the config file, I take your advice and change Require group to
> Require ldap-group, but it does not work.
>
> ::::::::::::::
> /etc/apache2/mods-enabled/dav_svn.conf
> ::::::::::::::
> <Location /svn>
>
> DAV svn
>
> SVNPath /var/lib/svn
> AuthType basic
> AuthName "SVN"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> AuthLDAPURL ldap://localhost:389/dc=my?uid
> Require ldap-group cn=groupA,dc=my
>
> AuthzSVNAccessFile /etc/apache2/dav_svn.authz
> </Location>

Looks very much like my config:

< LocationMatch "/(.*)">
AuthType Basic
AuthName "Authentication"
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthLDAPURL "ldap://backend.example.com/dc=openforce,dc=com?uid?sub
(objectClass=simplesecurityObject)"
AuthLDAPRemoteUserIsDn off
AuthzLDAPAuthoritative on
AuthBasicAuthoritative on
AuthLDAPGroupAttribute memberUID
AuthLDAPGroupAttributeIsDN off
</LocationMatch>

<LocationMatch "/maven(.*)">
Dav On
<Limit GET HEAD OPTIONS PROPFIND>
require ldap-group cn=maven,ou=accounts,ou=groups,dc=example,dc=com
</Limit>
<LimitExcept GET HEAD OPTIONS PROPFIND>
require ldap-group
cn=developement,ou=accounts,ou=groups,dc=example,dc=com
</LimitExcept>
</LocationMatch>


the ldap looks fine to me.

/martin

--
http://noneisyours.marcher.name
http://feeds.feedburner.com/NoneIsYours

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

0 new messages