You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by hk...@iscs-i.com on 2005/07/11 15:35:56 UTC
"require group" & LDAP Authentication
Hello,
Has anyone successfully gotten the require group directive to work against
an LDAP URL using the config file setup under apache2? Something like this:
AuthLDAPUrl "ldap://mx.foo.com:1389/dc=foo,dc=com?uid?sub?(objectCla
ss=*)"
AuthLDAPGroupAttributeIsDN On
AuthLDAPGroupAttribute member
AuthLDAPGroupAttribute uniquemember
#Require valid-user
Require group "cn=foo Portal AD,ou=Groups,ou=Pr,dc=foo,dc=com"
When I try to connect it allows anyone access even those not in the group.
Strace on the pid suggests that no group info is sent upon apache2 startup
or upon the http request. Any successes out there?
Thanks,
Henry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: "require group" & LDAP Authentication
Posted by Adam <te...@yahoo.com>.
You're welcome, glad you got it to work!
--- hkatz@iscs-i.com wrote:
> Quoting Adam <te...@yahoo.com>:
>
> > Here is my setup (which works):
>
> Adam,
>
> Thanks for the config. I had figured out that I had
> been foiled by quoting
> the spec after the require group and been overridden
> by specifying the
> mod_authz_svn access file as well.
>
> Henry
> >
> > # We will use OpenLDAP Authentication
> > AuthName "T3 Subversion Repositories"
> > AuthType Basic
> > AuthLDAPAuthoritative on
> > AuthLDAPEnabled on
> > AuthLDAPGroupAttributeIsDN on
> > AuthLDAPGroupAttribute memberUid
> > AuthLDAPUrl
> > ldap://localhost:389/ou=users,o=COMPANY?uid
> >
> > # Only system administrators need access here.
> > Require group cn=system-admins, ou=groups,
> o=COMPANY
> >
> > To give you an idea of what my LDAP directory
> looks
> > like (very simple), here is a group entry:
> >
> >
>
#################################################################
> > # Create the system-admins objectClass: posixGroup
> >
>
#################################################################
> > dn: cn=system-admins,ou=groups,o=COMPANY
> > objectClass: posixGroup
> > objectClass: top
> > cn: system-admins
> > gidNumber: 300
> > description: This group will have privs to access
> > system config repos.
> > memberUid: uid=FIRST.LAST,ou=users,o=COMPANY
> >
> >
> >
> > --- hkatz@iscs-i.com wrote:
> >
> >> Hello,
> >> Has anyone successfully gotten the require group
> >> directive to work against
> >> an LDAP URL using the config file setup under
> >> apache2? Something like this:
> >>
> >> AuthLDAPUrl
> >>
> >
>
"ldap://mx.foo.com:1389/dc=foo,dc=com?uid?sub?(objectCla
> >> ss=*)"
> >> AuthLDAPGroupAttributeIsDN On
> >> AuthLDAPGroupAttribute member
> >> AuthLDAPGroupAttribute uniquemember
> >> #Require valid-user
> >> Require group "cn=foo Portal
> >> AD,ou=Groups,ou=Pr,dc=foo,dc=com"
> >>
> >> When I try to connect it allows anyone access
> even
> >> those not in the group.
> >>
> >> Strace on the pid suggests that no group info is
> >> sent upon apache2 startup
> >> or upon the http request. Any successes out
> there?
> >>
> >> Thanks,
> >> Henry
> >>
> >>
> >>
> >
>
---------------------------------------------------------------------
> >> To unsubscribe, e-mail:
> >> users-unsubscribe@subversion.tigris.org
> >> For additional commands, e-mail:
> >> users-help@subversion.tigris.org
> >>
> >>
> >
> >
> > ===== START SIGNATURE =====
> > Kites rise highest against the wind -- not with
> it.
> > -- Winston Churchill
> >
> > It is better to be hated for what you are than
> loved for what you are not.
> > - Andre Gide
> >
> > If you always do what you've always done you'll
> always be where
> > you've always been.
> > -- Bill Purvis;
> > http://www.cascadehills.com/events/sermons.asp
> >
> > Blog: http://blogs.whyaskwhy.org/deoren/
> > ===== END SIGNATURE =====
> >
> >
> >
> >
> ____________________________________________________
> > Sell on Yahoo! Auctions no fees. Bid on great
> items.
> > http://auctions.yahoo.com/
> >
>
>
>
>
===== START SIGNATURE =====
Kites rise highest against the wind -- not with it.
-- Winston Churchill
It is better to be hated for what you are than loved for what you are not.
- Andre Gide
If you always do what you've always done you'll always be where you've always been.
-- Bill Purvis;
http://www.cascadehills.com/events/sermons.asp
Blog: http://blogs.whyaskwhy.org/deoren/
===== END SIGNATURE =====
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: "require group" & LDAP Authentication
Posted by hk...@iscs-i.com.
Quoting Adam <te...@yahoo.com>:
> Here is my setup (which works):
Adam,
Thanks for the config. I had figured out that I had been foiled by quoting
the spec after the require group and been overridden by specifying the
mod_authz_svn access file as well.
Henry
>
> # We will use OpenLDAP Authentication
> AuthName "T3 Subversion Repositories"
> AuthType Basic
> AuthLDAPAuthoritative on
> AuthLDAPEnabled on
> AuthLDAPGroupAttributeIsDN on
> AuthLDAPGroupAttribute memberUid
> AuthLDAPUrl
> ldap://localhost:389/ou=users,o=COMPANY?uid
>
> # Only system administrators need access here.
> Require group cn=system-admins, ou=groups, o=COMPANY
>
> To give you an idea of what my LDAP directory looks
> like (very simple), here is a group entry:
>
> #################################################################
> # Create the system-admins objectClass: posixGroup
> #################################################################
> dn: cn=system-admins,ou=groups,o=COMPANY
> objectClass: posixGroup
> objectClass: top
> cn: system-admins
> gidNumber: 300
> description: This group will have privs to access
> system config repos.
> memberUid: uid=FIRST.LAST,ou=users,o=COMPANY
>
>
>
> --- hkatz@iscs-i.com wrote:
>
>> Hello,
>> Has anyone successfully gotten the require group
>> directive to work against
>> an LDAP URL using the config file setup under
>> apache2? Something like this:
>>
>> AuthLDAPUrl
>>
> "ldap://mx.foo.com:1389/dc=foo,dc=com?uid?sub?(objectCla
>> ss=*)"
>> AuthLDAPGroupAttributeIsDN On
>> AuthLDAPGroupAttribute member
>> AuthLDAPGroupAttribute uniquemember
>> #Require valid-user
>> Require group "cn=foo Portal
>> AD,ou=Groups,ou=Pr,dc=foo,dc=com"
>>
>> When I try to connect it allows anyone access even
>> those not in the group.
>>
>> Strace on the pid suggests that no group info is
>> sent upon apache2 startup
>> or upon the http request. Any successes out there?
>>
>> Thanks,
>> Henry
>>
>>
>>
> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail:
>> users-help@subversion.tigris.org
>>
>>
>
>
> ===== START SIGNATURE =====
> Kites rise highest against the wind -- not with it.
> -- Winston Churchill
>
> It is better to be hated for what you are than loved for what you are not.
> - Andre Gide
>
> If you always do what you've always done you'll always be where
> you've always been.
> -- Bill Purvis;
> http://www.cascadehills.com/events/sermons.asp
>
> Blog: http://blogs.whyaskwhy.org/deoren/
> ===== END SIGNATURE =====
>
>
>
> ____________________________________________________
> Sell on Yahoo! Auctions no fees. Bid on great items.
> http://auctions.yahoo.com/
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: "require group" & LDAP Authentication
Posted by Adam <te...@yahoo.com>.
Here is my setup (which works):
# We will use OpenLDAP Authentication
AuthName "T3 Subversion Repositories"
AuthType Basic
AuthLDAPAuthoritative on
AuthLDAPEnabled on
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute memberUid
AuthLDAPUrl
ldap://localhost:389/ou=users,o=COMPANY?uid
# Only system administrators need access here.
Require group cn=system-admins, ou=groups, o=COMPANY
To give you an idea of what my LDAP directory looks
like (very simple), here is a group entry:
#################################################################
# Create the system-admins objectClass: posixGroup
#################################################################
dn: cn=system-admins,ou=groups,o=COMPANY
objectClass: posixGroup
objectClass: top
cn: system-admins
gidNumber: 300
description: This group will have privs to access
system config repos.
memberUid: uid=FIRST.LAST,ou=users,o=COMPANY
--- hkatz@iscs-i.com wrote:
> Hello,
> Has anyone successfully gotten the require group
> directive to work against
> an LDAP URL using the config file setup under
> apache2? Something like this:
>
> AuthLDAPUrl
>
"ldap://mx.foo.com:1389/dc=foo,dc=com?uid?sub?(objectCla
> ss=*)"
> AuthLDAPGroupAttributeIsDN On
> AuthLDAPGroupAttribute member
> AuthLDAPGroupAttribute uniquemember
> #Require valid-user
> Require group "cn=foo Portal
> AD,ou=Groups,ou=Pr,dc=foo,dc=com"
>
> When I try to connect it allows anyone access even
> those not in the group.
>
> Strace on the pid suggests that no group info is
> sent upon apache2 startup
> or upon the http request. Any successes out there?
>
> Thanks,
> Henry
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail:
> users-help@subversion.tigris.org
>
>
===== START SIGNATURE =====
Kites rise highest against the wind -- not with it.
-- Winston Churchill
It is better to be hated for what you are than loved for what you are not.
- Andre Gide
If you always do what you've always done you'll always be where you've always been.
-- Bill Purvis;
http://www.cascadehills.com/events/sermons.asp
Blog: http://blogs.whyaskwhy.org/deoren/
===== END SIGNATURE =====
____________________________________________________
Sell on Yahoo! Auctions no fees. Bid on great items.
http://auctions.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org