I try to verify access of svn user from apache by openldap.
I create userA and userB with schema posixAccount
and create groupA with schema posixGroups in openldap and add userA to it.
then I add line *Require group cn=groupA,dc=my* to apache's config file.
but, both userA and userB can login to subversion. why?
below is the version I use :
apache2 Version: 2.2.6-3
slapd Version: 2.3.38-1
libapache2-svn 1.4.4dfsg1-1
and attachements are complete config files
> hi, my friends
>
> I try to verify access of svn user from apache by openldap.
> I create userA and userB with schema posixAccount
> and create groupA with schema posixGroups in openldap and add userA to it.
> then I add line *Require group cn=groupA,dc=my* to apache's config file.
require ldap-gorup cn=.....
require ldap-user ......
> below is the version I use :
> apache2 Version: 2.2.6-3
from what I remember this the debian/etch version right?
> slapd Version: 2.3.38-1
> libapache2-svn 1.4.4dfsg1-1
>
> and attachements are complete config files
please don't do attachements. They aren't visible everywhere, for me they
just vanished as my primary interface to the ML is gmane.org
hope it helps
martin
--
http://noneisyours.marcher.name
http://feeds.feedburner.com/NoneIsYours
You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
> On Thursday 24 January 2008 11:26 hhding wrote:
>> and attachements are complete config files
>
> please don't do attachements. They aren't visible everywhere, for me they
> just vanished as my primary interface to the ML is gmane.org
now _that_ statemant was absolute b******** - I was just to dumb to see the
attachements.
anyway, the ldap-group ldap-user should be the solution,
/martin...
::::::::::::::
/etc/apache2/mods-enabled/dav_svn.conf
::::::::::::::
<Location /svn>
DAV svn
SVNPath /var/lib/svn
AuthType basic
AuthName "SVN"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://localhost:389/dc=my?uid
Require ldap-group cn=groupA,dc=my
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
</Location>
::::::::::::::
/etc/apache2/dav_svn.authz
::::::::::::::
[/]
* = r
::::::::::::::
my.ldif
::::::::::::::
dn: dc=my
objectClass: dcObject
objectClass: organization
o: Example Company
dc: my
dn: cn=admin,dc=my
objectClass: organizationalRole
cn: admin
dn: uid=userA,dc=my
objectClass: top
objectClass: posixAccount
objectClass: account
cn: userA
uid: userA
uidNumber: 1
gidNumber: 1
homeDirectory: /home/userA
userPassword: 1
dn: uid=userB,dc=my
objectClass: top
objectClass: posixAccount
objectClass: account
cn: userB
uid: userB
uidNumber: 2
gidNumber: 2
homeDirectory: /home/userB
userPassword: 1
dn: cn=groupA,dc=my
objectClass: top
objectClass: posixGroup
cn: groupA
gidNumber: 1
memberUid: userA
Martin Marcher wrote:
> On Thursday 24 January 2008 21:31 Martin Marcher wrote:
>
>
>> On Thursday 24 January 2008 11:26 hhding wrote:
>>
>>> and attachements are complete config files
>>>
>> please don't do attachements. They aren't visible everywhere, for me they
>> just vanished as my primary interface to the ML is gmane.org
>>
>
> now _that_ statemant was absolute b******** - I was just to dumb to see the
> attachements.
>
> anyway, the ldap-group ldap-user should be the solution,
>
> /martin...
>
>
--
> Thanks for your advice :)
> Here is the config file, I take your advice and change Require group to
> Require ldap-group, but it does not work.
>
> ::::::::::::::
> /etc/apache2/mods-enabled/dav_svn.conf
> ::::::::::::::
> <Location /svn>
>
> DAV svn
>
> SVNPath /var/lib/svn
> AuthType basic
> AuthName "SVN"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> AuthLDAPURL ldap://localhost:389/dc=my?uid
> Require ldap-group cn=groupA,dc=my
>
> AuthzSVNAccessFile /etc/apache2/dav_svn.authz
> </Location>
Looks very much like my config:
< LocationMatch "/(.*)">
AuthType Basic
AuthName "Authentication"
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthLDAPURL "ldap://backend.example.com/dc=openforce,dc=com?uid?sub
(objectClass=simplesecurityObject)"
AuthLDAPRemoteUserIsDn off
AuthzLDAPAuthoritative on
AuthBasicAuthoritative on
AuthLDAPGroupAttribute memberUID
AuthLDAPGroupAttributeIsDN off
</LocationMatch>
<LocationMatch "/maven(.*)">
Dav On
<Limit GET HEAD OPTIONS PROPFIND>
require ldap-group cn=maven,ou=accounts,ou=groups,dc=example,dc=com
</Limit>
<LimitExcept GET HEAD OPTIONS PROPFIND>
require ldap-group
cn=developement,ou=accounts,ou=groups,dc=example,dc=com
</LimitExcept>
</LocationMatch>
the ldap looks fine to me.
/martin
You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.