What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPCompareDNOnServer off Require ldap-user lcahlander AuthzLDAPAuthoritative on </Location>
When I would like for it to be:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" # The distinguished name to bind to the directory server AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
# The password for the user above AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPCompareDNOnServer off
AuthzLDAPAuthoritative on AuthBasicAuthoritative on <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> </Location>
If I can do this with posixGroup only, then I will make the needed change to the eXist database code. What I am trying to do is use the most basic standard LDAP schema to get users and groups.
Thank you,
Loren
On Jun 2, 2010, at 07:32 AM, Buchan Milne wrote:
On Tuesday, 1 June 2010 17:04:59 Loren Cahlander wrote:
And need to have groups being both posixGroup and groupOfUniqueNames.
I would rather use groupOfNames/member than groupOfUniqueNames/uniqueMember ...
Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error?
Two options:
1)Switch to rfc2307bis instead of rfc2307 (nis.schema)
This may require a bit of work for your ldap clients.
2)Add objectclass extensibleObject, and maintain both member and memberUid attributes.
Regards, Buchan