Apache httpd LDAP integration
I am configuring a CollabNet Subversion integration. I have the following collabnet_subversion.conf file:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=vegibanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
</Location>
This works great. Any user in our Active Directory can access our Subversion repository.
Now, I want to limit this to only people in the Active Directory group Development:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>
I added Require ldap-group, but now no one can log in. I have LogLevel set to debug, but all I get is this in my error_log (Single line broken up for easier reading):
[Thu Oct 11 13:09:28 2012] [info] [client 10.55.9.45] [6752]
vauth_ldap authenticate: user dweintraub authentication failed;
URI /svn/ [ldap_search_ext_s() for user failed][Bad search filter]
And, I get this in my access_log:
10.55.9.45 - - [11/Oct/2012:13:09:27 -0500] "GET /svn/ HTTP/1.1" 401 401
10.55.9.45 - dweintraub [11/Oct/2012:13:09:28 -0500] "GET /svn/ HTTP/1.1" 500 535
Yes, I am in that group. (Or, at least how can I confirm that just to make sure that's not the issue. I have the SysinternalsSuite ADExplorer. It's where I'm getting all of my info.)
You did not specify the group's DN correctly, and you can see by the error message. It should probably look like this:
Require ldap-group CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com
Edit: Since this doesn't seem to be the problem, make sure you have
AuthLDAPGroupAttribute member uniquemember
AuthLDAPGroupAttributeIsDN on
set, which I assume is correct for your AD environment. These are the defaults in mod_authnz_ldap but it can only help to set them explicitly.
I don't really have any other ideas, your configuration looks correct. I am only wondering why you had no Require directive in your original configuration. But you said it was working so maybe it defaults to Require valid-user.
Edit 2: Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features. This is documented here: https://ctf.open.collab.net/sf/go/artf4917. In our case this was a non-issue since we use AuthzSVNAccessFile for authorization. The Require ldap-group seems to have simply behaved like Require valid-user.
This doesn't really explain to me why you get a "Bad search filter" message, but in order to only allow members of your Development group to access the /svn location you should extend the AuthLDAPURL with a group filter and remove the Require ldap-group directive. Since you are using AD you can use memberOf along these lines:
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName?sub?(&(objectCategory=person)(memberOf=CN=Development,OU=Security Groups,OU=VegiBanc,dc=vegibanc,dc=com)) NONE
More detail here:
http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417401
https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/FrequentlyAskedQuestions#section-FrequentlyAskedQuestions-HowCanIRestrictLogonToMembersOfAParticularGroup
I'm giving this to daff anyway because his links lead me to the actual issue. I couldn't get the filtering to work like daff suggested, but I did find the problem.
The statement that lead me to the solution was:
Since we are running a quite similar setup (but not with AD), I reviewed our configuration and found that one can't use Require ldap-group along with Subversion's authorization features.
Several links daff suggested commented on this and offered no solution except to use filtering which I couldn't seem to get to work.
I then decided to look at http.conf which Collabnet provided. And here's what I saw:
#LoadModule python_module opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module opt/CollabNet_Subversion/modules/mod_dav_svn.so
LoadModule authz_svn_module opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module opt/CollabNet_Subversion/modules/mod_dontdothat.so
Ah! They're loading authz_svn_module! I simply disabled it:
#LoadModule python_module opt/CollabNet_Subversion/modules/mod_python.so
LoadModule dav_svn_module opt/CollabNet_Subversion/modules/mod_dav_svn.so
#LoadModule authz_svn_module opt/CollabNet_Subversion/modules/mod_authz_svn.so
#LoadModule dontdothat_module opt/CollabNet_Subversion/modules/mod_dontdothat.so
And then went back to my ___original____ configuration in collabnet_subversion.conf:
<Location /svn>
DAV svn
SVNParentPath /mnt/svn/new_repos
SVNListParentPath on
AuthName "VegiBanc Source Repository"
AuthType basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.vegibanc.com/dc=vegibanc,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SVN-Admin,OU=Service Accounts,OU=VegiBanc Users,OU=VegiBanc,DC=vegibanc,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=Development, OU=Security Groups, OU=VegiBanc, dc=vegibanc, dc=com
</Location>
And, it now worked like a charm!
Thanks daff for your help. I think my issue with the filter is that I needed Require valid-user and I hadn't put that in, but this does now work.