Hello folks,
I am working with the following configuration under Ubuntu:
||/ Name Version Description +++-=================================-====================================-============================================ ii apache2 2.2.9-7ubuntu3.6 Apache HTTP Server metapackage ii apache2-doc 2.2.9-7ubuntu3.6 Apache HTTP Server documentation ii apache2-mpm-prefork 2.2.9-7ubuntu3.6 Apache HTTP Server - traditional non-threade ii apache2-utils 2.2.9-7ubuntu3.6 utility programs for webservers ii apache2.2-common 2.2.9-7ubuntu3.6 Apache HTTP Server common files ii ldap-account-manager 2.3.0-1 webfrontend for managing accounts in an LDAP ii ldap-utils 2.4.11-0ubuntu6.2 OpenLDAP utilities ii libldap-2.4-2 2.4.11-0ubuntu6.2 OpenLDAP libraries ii slapd 2.4.11-0ubuntu6.2 OpenLDAP server (slapd) ii subversion 1.5.1dfsg1-1ubuntu2.1 Advanced version control system ii subversion-tools 1.5.1dfsg1-1ubuntu2.1 Assorted tools related to Subversion
And need to have groups being both posixGroup and groupOfUniqueNames. Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error? I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group".
Thank you,
Loren
Installing LDAP
LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager
These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine.
sudo apt-get install slapd ldap-utils ldap-account-manager
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
vi /home/exist/db.ldif and insert the following listing:
01. ########################################################### 02. # DATABASE SETUP 03. ########################################################### 04.
05. # Load modules for database type 06. dn: cn=module{0},cn=config 07. objectClass: olcModuleList 08. cn: module{0} 09. olcModulePath: /usr/lib/ldap 10. olcModuleLoad: {0}back_hdb 11.
12. # Create directory database 13. dn: olcDatabase={1}hdb,cn=config 14. objectClass: olcDatabaseConfig 15. objectClass: olcHdbConfig 16. olcDatabase: {1}hdb 17. olcDbDirectory: /var/lib/ldap 18. olcSuffix: dc=exist-db,dc=org 19. olcRootDN: cn=admin,dc=exist-db,dc=org 20. olcRootPW: 1234 21. olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none 22. olcAccess: {1}to dn.base="" by * read 23. olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read 24. olcLastMod: TRUE 25. olcDbCheckpoint: 512 30 26. olcDbConfig: {0}set_cachesize 0 2097152 0 27. olcDbConfig: {1}set_lk_max_objects 1500 28. olcDbConfig: {2}set_lk_max_locks 1500 29. olcDbConfig: {3}set_lk_max_lockers 1500 30. olcDbIndex: uid pres,eq 31. olcDbIndex: cn,sn,mail pres,eq,approx,sub 32. olcDbIndex: objectClass eq 33.
34.
35. ########################################################### 36. # DEFAULTS MODIFICATION 37. ########################################################### 38. # Some of the defaults need to be modified in order to allow 39. # remote access to the LDAP config. Otherwise only root 40. # will have administrative access. 41.
42. dn: cn=config 43. changetype: modify 44. delete: olcAuthzRegexp 45.
46. dn: olcDatabase={-1}frontend,cn=config 47. changetype: modify 48. delete: olcAccess 49.
50. dn: olcDatabase={0}config,cn=config 51. changetype: modify 52. add: olcRootPW 53. olcRootPW: {CRYPT}7hzU8RaZxaGi2 54.
55. dn: olcDatabase={0}config,cn=config 56. changetype: modify 57. delete: olcAccess Note Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif sudo vi /home/exist/base.ldif and insert the following:
01. dn: dc=exist-db,dc=org 02. objectClass: dcObject 03. objectClass: organization 04. o: exist-db.org 05. dc: exist-db 06. description: Tree root 07.
08. dn: cn=admin,dc=exist-db,dc=org 09. objectClass: simpleSecurityObject 10. objectClass: organizationalRole 11. cn: admin 12. userPassword: admin123 13. description: LDAP administrator 14.
15. dn: ou=Users,dc=exist-db,dc=org 16. objectClass: organizationalUnit 17. ou: Users 18.
19. dn: ou=Groups,dc=exist-db,dc=org 20. objectClass: organizationalUnit 21. ou: Groups 22.
23. dn: uid=admin,ou=Users,dc=exist-db,dc=org 24. sn: Administrator 25. uidNumber: 1 26. gidNumber: 1 27. objectClass: person 28. objectClass: organizationalPerson 29. objectClass: inetOrgPerson 30. objectClass: posixAccount 31. uid: admin 32. cn: admin 33. homeDirectory: / 34.
35. dn: uid=guest,ou=Users,dc=exist-db,dc=org 36. sn: guest 37. uidNumber: 2 38. gidNumber: 300 39. objectClass: person 40. objectClass: organizationalPerson 41. objectClass: inetOrgPerson 42. objectClass: posixAccount 43. uid: guest 44. cn: guest 45. homeDirectory: /guest 46.
47. dn: cn=dba,ou=Groups,dc=exist-db,dc=org 48. objectClass: posixGroup 49. description: dba 50. gidNumber: 1 51. cn: dba 52.
53. dn: cn=guest,ou=Groups,dc=exist-db,dc=org 54. objectClass: posixGroup 55. description: guest 56. gidNumber: 300 57. cn: guest 58. memberUid: admin 59.
60. dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org 61. objectClass: posixGroup 62. description: SVN Update 63. gidNumber: 400 64. cn: svn-update 65.
66. dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org 67. objectClass: posixGroup 68. description: SVN Read Only 69. gidNumber: 500 70. cn: svn-readonly 71.
72. dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org 73. objectClass: posixGroup 74. description: System backup page access. 75. gidNumber: 600 76. cn: backup-access Note Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location..
You can now load this configuration file into the LDAP database with the ldapadd command.:
sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif When prompted for the password, use "1234" unless you changed the value in db.ldif.
Loren,
You need to replace the "nis.schema" schema file with a "rfc2307bis.schema" file because both, posixGroup and groupOfnames are STRUCTURAL classes. Using rfc2307 schema, one object class becomes auxiliary and allows both to co-exist within the same object declaration.
OTOH, see if you can configure mod_authnz_ldap to look for "member" attribute instead of "memberUID". This will obviate the need for having posixGroup in object instantiation.
Hope this helps,
Siddhartha
From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Loren Cahlander Sent: Tuesday, June 01, 2010 9:05 AM To: openldap-technical@openldap.org Cc: Loren Cahlander Subject: OpenLDAP configuration for ldap-group authentication on Apache2.x
Hello folks,
I am working with the following configuration under Ubuntu:
||/ Name Version Description +++-=================================-====================================-============================================ ii apache2 2.2.9-7ubuntu3.6 Apache HTTP Server metapackage ii apache2-doc 2.2.9-7ubuntu3.6 Apache HTTP Server documentation ii apache2-mpm-prefork 2.2.9-7ubuntu3.6 Apache HTTP Server - traditional non-threade ii apache2-utils 2.2.9-7ubuntu3.6 utility programs for webservers ii apache2.2-common 2.2.9-7ubuntu3.6 Apache HTTP Server common files ii ldap-account-manager 2.3.0-1 webfrontend for managing accounts in an LDAP ii ldap-utils 2.4.11-0ubuntu6.2 OpenLDAP utilities ii libldap-2.4-2 2.4.11-0ubuntu6.2 OpenLDAP libraries ii slapd 2.4.11-0ubuntu6.2 OpenLDAP server (slapd) ii subversion 1.5.1dfsg1-1ubuntu2.1 Advanced version control system ii subversion-tools 1.5.1dfsg1-1ubuntu2.1 Assorted tools related to Subversion
And need to have groups being both posixGroup and groupOfUniqueNames. Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error? I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group".
Thank you,
Loren
INSTALLING LDAP LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine. sudo apt-get install slapd ldap-utils ldap-account-manager
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
vi /home/exist/db.ldif and insert the following listing: 01.########################################################### 02.# DATABASE SETUP 03.########################################################### 04. 05.# Load modules for database type 06.dn: cn=module{0},cn=config 07.objectClass: olcModuleList 08.cn: module{0} 09.olcModulePath: /usr/lib/ldap 10.olcModuleLoad: {0}back_hdb 11. 12.# Create directory database 13.dn: olcDatabase={1}hdb,cn=config 14.objectClass: olcDatabaseConfig 15.objectClass: olcHdbConfig 16.olcDatabase: {1}hdb 17.olcDbDirectory: /var/lib/ldap 18.olcSuffix: dc=exist-db,dc=org 19.olcRootDN: cn=admin,dc=exist-db,dc=org 20.olcRootPW: 1234 21.olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none 22.olcAccess: {1}to dn.base="" by * read 23.olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read 24.olcLastMod: TRUE 25.olcDbCheckpoint: 512 30 26.olcDbConfig: {0}set_cachesize 0 2097152 0 27.olcDbConfig: {1}set_lk_max_objects 1500 28.olcDbConfig: {2}set_lk_max_locks 1500 29.olcDbConfig: {3}set_lk_max_lockers 1500 30.olcDbIndex: uid pres,eq 31.olcDbIndex: cn,sn,mail pres,eq,approx,sub 32.olcDbIndex: objectClass eq 33. 34. 35.########################################################### 36.# DEFAULTS MODIFICATION 37.########################################################### 38.# Some of the defaults need to be modified in order to allow 39.# remote access to the LDAP config. Otherwise only root 40.# will have administrative access. 41. 42.dn: cn=config 43.changetype: modify 44.delete: olcAuthzRegexp 45. 46.dn: olcDatabase={-1}frontend,cn=config 47.changetype: modify 48.delete: olcAccess 49. 50.dn: olcDatabase={0}config,cn=config 51.changetype: modify 52.add: olcRootPW 53.olcRootPW: {CRYPT}7hzU8RaZxaGi2 54. 55.dn: olcDatabase={0}config,cn=config 56.changetype: modify 57.delete: olcAccess Note Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password. sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif sudo vi /home/exist/base.ldif and insert the following: 01.dn: dc=exist-db,dc=org 02.objectClass: dcObject 03.objectClass: organization 04.o: exist-db.org 05.dc: exist-db 06.description: Tree root 07. 08.dn: cn=admin,dc=exist-db,dc=org 09.objectClass: simpleSecurityObject 10.objectClass: organizationalRole 11.cn: admin 12.userPassword: admin123 13.description: LDAP administrator 14. 15.dn: ou=Users,dc=exist-db,dc=org 16.objectClass: organizationalUnit 17.ou: Users 18. 19.dn: ou=Groups,dc=exist-db,dc=org 20.objectClass: organizationalUnit 21.ou: Groups 22. 23.dn: uid=admin,ou=Users,dc=exist-db,dc=org 24.sn: Administrator 25.uidNumber: 1 26.gidNumber: 1 27.objectClass: person 28.objectClass: organizationalPerson 29.objectClass: inetOrgPerson 30.objectClass: posixAccount 31.uid: admin 32.cn: admin 33.homeDirectory: / 34. 35.dn: uid=guest,ou=Users,dc=exist-db,dc=org 36.sn: guest 37.uidNumber: 2 38.gidNumber: 300 39.objectClass: person 40.objectClass: organizationalPerson 41.objectClass: inetOrgPerson 42.objectClass: posixAccount 43.uid: guest 44.cn: guest 45.homeDirectory: /guest 46. 47.dn: cn=dba,ou=Groups,dc=exist-db,dc=org 48.objectClass: posixGroup 49.description: dba 50.gidNumber: 1 51.cn: dba 52. 53.dn: cn=guest,ou=Groups,dc=exist-db,dc=org 54.objectClass: posixGroup 55.description: guest 56.gidNumber: 300 57.cn: guest 58.memberUid: admin 59. 60.dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org 61.objectClass: posixGroup 62.description: SVN Update 63.gidNumber: 400 64.cn: svn-update 65. 66.dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org 67.objectClass: posixGroup 68.description: SVN Read Only 69.gidNumber: 500 70.cn: svn-readonly 71. 72.dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org 73.objectClass: posixGroup 74.description: System backup page access. 75.gidNumber: 600 76.cn: backup-access Note Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location.. You can now load this configuration file into the LDAP database with the ldapadd command.: sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif When prompted for the password, use "1234" unless you changed the value in db.ldif.
On Tuesday, 1 June 2010 17:04:59 Loren Cahlander wrote:
And need to have groups being both posixGroup and groupOfUniqueNames.
I would rather use groupOfNames/member than groupOfUniqueNames/uniqueMember ...
Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error?
Two options:
1)Switch to rfc2307bis instead of rfc2307 (nis.schema)
This may require a bit of work for your ldap clients.
2)Add objectclass extensibleObject, and maintain both member and memberUid attributes.
Regards, Buchan
What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPCompareDNOnServer off Require ldap-user lcahlander AuthzLDAPAuthoritative on </Location>
When I would like for it to be:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" # The distinguished name to bind to the directory server AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
# The password for the user above AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPCompareDNOnServer off
AuthzLDAPAuthoritative on AuthBasicAuthoritative on <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> </Location>
If I can do this with posixGroup only, then I will make the needed change to the eXist database code. What I am trying to do is use the most basic standard LDAP schema to get users and groups.
Thank you,
Loren
On Jun 2, 2010, at 07:32 AM, Buchan Milne wrote:
On Tuesday, 1 June 2010 17:04:59 Loren Cahlander wrote:
And need to have groups being both posixGroup and groupOfUniqueNames.
I would rather use groupOfNames/member than groupOfUniqueNames/uniqueMember ...
Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error?
Two options:
1)Switch to rfc2307bis instead of rfc2307 (nis.schema)
This may require a bit of work for your ldap clients.
2)Add objectclass extensibleObject, and maintain both member and memberUid attributes.
Regards, Buchan
On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPCompareDNOnServer off Require ldap-user lcahlander AuthzLDAPAuthoritative on </Location>When I would like for it to be:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" # The distinguished name to bind to the directory server AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" # The password for the user above AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPCompareDNOnServer off AuthzLDAPAuthoritative on AuthBasicAuthoritative on <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETEPROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> </Location>
Something like this should work, I have something like this:
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub? (objectclass=posixAccount)" Satisfy All AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=developers,ou=Group,.....
Although the requirement to limiting operations via svn was not that great, and I ran out of time to test that, so I haven't got these inside Limit statements at present ...
I suggest starting out with a memberUid-based non-Limit config first, and if that works, add the Limits parts in.
Regards, Buchan
Buchan,
That worked for me. Thanks. I have another question for the mailing list.
Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags? I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups.
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?(objectclass=posixAccount)" Satisfy All AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=developers,ou=Group,.....
Thank you, Loren
On Jun 3, 2010, at 02:20 AM, Buchan Milne wrote:
On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPCompareDNOnServer off Require ldap-user lcahlander AuthzLDAPAuthoritative on </Location>When I would like for it to be:
<Location /svn> DAV svn SVNParentPath /var/local/svn/foo.exist-db.org SVNAutoversioning on SVNListParentPath on AuthBasicProvider ldap AuthUserFile /dev/null AuthType Basic AuthName "Subversion Authentication" # The distinguished name to bind to the directory server AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" # The password for the user above AuthLDAPBindPassword "1234" AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPCompareDNOnServer off AuthzLDAPAuthoritative on AuthBasicAuthoritative on <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETEPROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any </Limit> </Location>
Something like this should work, I have something like this:
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?(objectclass=posixAccount)" Satisfy All AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=developers,ou=Group,.....
Although the requirement to limiting operations via svn was not that great, and I ran out of time to test that, so I haven't got these inside Limit statements at present ...
I suggest starting out with a memberUid-based non-Limit config first, and if that works, add the Limits parts in.
Regards, Buchan
Loren,
Loren Cahlander schrieb am 04.06.2010 13:51 Uhr:
That worked for me. Thanks. I have another question for the mailing list.
Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags? I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups.
It may be better to ask at a httpd mailing list.
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html "AuthLDAPUrl Directive Description: URL specifying the LDAP search parameters Syntax: AuthLDAPUrl url Context: directory, .htaccess" So, I think not outside of the directory context.
Marc
openldap-technical@openldap.org
-
Buchan Milne -
Loren Cahlander -
Marc Patermann -
Siddhartha Jain