Buchan,
That worked for me. Thanks. I have another question for the mailing list.
Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags? I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups.
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?(objectclass=posixAccount)" Satisfy All AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=developers,ou=Group,.....
Thank you, Loren
On Jun 3, 2010, at 02:20 AM, Buchan Milne wrote:
On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPCompareDNOnServer off Require ldap-user lcahlander AuthzLDAPAuthoritative on </Location>When I would like for it to be:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" # The distinguished name to bind to the directory server AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" # The password for the user above AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPCompareDNOnServer off AuthzLDAPAuthoritative on AuthBasicAuthoritative on <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETEPROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> </Location>
Something like this should work, I have something like this:
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?(objectclass=posixAccount)" Satisfy All AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=developers,ou=Group,.....
Although the requirement to limiting operations via svn was not that great, and I ran out of time to test that, so I haven't got these inside Limit statements at present ...
I suggest starting out with a memberUid-based non-Limit config first, and if that works, add the Limits parts in.
Regards, Buchan