You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Giulio T <gi...@uk.linedata.com> on 2009/03/30 14:00:22 UTC
LDAP, auth file and CN
Hello everybody,
Let me start saying that I haven't seen anything in the FAQ for my problem and the search of the mailing list I did returned a lot of post regarding how to set up LDAP, but those didn't help. I think there was one post that was exactly about what I am trying to achive but I think it said that it wasn't possible. So I want to check whether that's really/still the case.
I have successfully set up Apache (2.0) to authenticate developers. My problem now is authorization.
I was able to get two type "userid" from Apache: the Windows user id (something like gtroccoli) or the full string from LDAP (something like Author: CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North). This is "swtiched" by using the AuthLDAPRemoteUsersIsDN directive in Apache.
My problem is now how to write the authorization file.
If I set the directive off, then I can write the auth file like the following
[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = gtroccoli
[svn-test:/]
@svn-admin = rw
@developers = rw
The problem with this approach is that I can still authenticate using Gtroccoli but that will not authorize me (becuase of the case).
If I set the directive on, then the auth file will loook like (not 100% sure where to to put the quotes though)
[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = "CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North"
[svn-test:/]
@svn-admin = rw
@developers = rw
Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).
What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file
[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = Giulio Troccoli
[svn-test:/]
@svn-admin = rw
@developers = rw
Is it at all possible?
My Apache conf file (the part for subversion) is
<Location /svn-test>
DAV svn
SVNPath /data/TestRepositories/svn-test
SVNReposName "Subversion Testing Repository"
# Authentication
AuthType Basic
AuthName "Subversion Testing Repository"
AuthLDAPURL "ldap://******:389/*****?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "****"
AuthLDAPBindPassword *****
AuthLDAPRemoteUserIsDN on
# Access Control Policy
AuthAuthoritative Off
AuthUserFile /etc/httpd/etc/svn-test.passwd
AuthzSVNAccessFile /etc/httpd/etc/svn-test.access
# How to authenticate a user
# Always requier an authenticated user
Order deny,allow
Require valid-user
</Location>
The AuthAuthoritative directive is there so I can also use a normal password file for users (like Subversion administrators) that are not in our company AD.
Giulio
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1482281
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: LDAP, auth file and CN
Posted by "Bolstridge, Andrew" <an...@intergraph.com>.
> -----Original Message-----
> From: Jeremy Whitlock [mailto:jcscoobyrs@gmail.com]
> Sent: Tuesday, March 31, 2009 4:56 PM
> To: Giulio Troccoli
> Cc: users@subversion.tigris.org
> Subject: Re: LDAP, auth file and CN
[...]
> In the end, are you sure you're not complicating things? I mean, I
> can see this being an edge case where a user uses the wrong casing for
> their credentials but wouldn't it be much simpler to explain things
> when this happens instead of altering the tooling to work around a
> potential problem that is user-created? I mean, when I'm told my
> username is "jwhitlock", I use "jwhitlock", I don't use "Jwhitlock" or
> "jWhitlock" or some other permutation. Is that such a hard thing to
> relay?
>
To a user, yes. It's a human-computer-interaction thing that's commonly
misunderstood by developers. The computer is case sensitive, therefore
you the user must be case insensitive too. Strangely, no-one thinks to
make
the computer work the way humans work.
There are places where case sensitivity has its place. This is not one
of them
But in the absence of a solution, Jeremy's advice is the simplest
resolution.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1504743
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: LDAP, auth file and CN
Posted by Jeremy Whitlock <jc...@gmail.com>.
> Thanks Jeremy, that's the article I used to set Apache and LDAP up. But it doesn't mention anything about what I want to do now.
Actually, it did. When you're creating an AuthLDAPURL, you tell
Apache which user object attribute to use to find a user to
authenticate. In the article, it uses the following url:
ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)
As documented in the "Search for Users" section of the article, the
"sAMAccountName" is being used, which is the login name. If you
wanted to use the Common Name, you'd do the following:
ldap://your.domain:389/DC=your,DC=domain?CN?sub?(objectClass=*)
If I remember correctly, you said "What I would like is to be able to
use any case for my id (even gTroCcOli) if I want, then the LDAP
module returned only the Common Name (Giulio Troccoli)" and in this
case, I do tell you how to allow Apache to authenticate you based on
your Common Name. So instead of Apache having to do something out of
the ordinary, like allow you to login with sAMAccountName but give you
or return the Common Name, you can just authenticate with the Common
Name and Apache will pass that to the Subversion for authz.
If that is not an option, meaning you do want to login with
sAMAccountName instead of the Common Name, you might be out of luck.
Apache authenticates based on the user object attribute you mentioned
in the AuthLDAPUrl. All Apache does is find a user based on the user
object attribute in the AuthLDAPUrl and then verifies the credentials.
Nothing is "returned" as you say. But...whatever you use to
authenticate for Apache is what Subversion gets to do its authz.
In the end, are you sure you're not complicating things? I mean, I
can see this being an edge case where a user uses the wrong casing for
their credentials but wouldn't it be much simpler to explain things
when this happens instead of altering the tooling to work around a
potential problem that is user-created? I mean, when I'm told my
username is "jwhitlock", I use "jwhitlock", I don't use "Jwhitlock" or
"jWhitlock" or some other permutation. Is that such a hard thing to
relay?
--
Take care,
Jeremy Whitlock
http://www.thoughtspark.org
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1497075
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: LDAP, auth file and CN
Posted by Giulio T <gi...@uk.linedata.com>.
> I wrote a script that will take group definitions in a
> directory server (LDAP as you say it) and reproduce those
> groups within Subversion's authz file so you can do
> group-level permissioning:
> http://www.thoughtspark.org/node/26 It will not fix the
> casing issue, which isn't really Subversion's fault because
> some systems are case sensitive.
Unfortunately the script works if you have groups in th AD, which I don't think we do, at least not specific to the product under Subversion.
> Yes. You tell Apache what object attribute to use for the
> user id. I know you said you didn't find a good LDAP article
> for Apache but it just so happens I wrote one recently that
> describes every pieces of
> this:
> http://blogs.open.collab.net/svn/2009/03/subversion-with-apach
> e-and-ldap-updated.html
> Let me know if you are still having troubles.
Thanks Jeremy, that's the article I used to set Apache and LDAP up. But it doesn't mention anything about what I want to do now.
Giulio
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1493582
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: LDAP, auth file and CN
Posted by Craig McQueen <ce...@mcqueen.id.au>.
Jeremy Whitlock wrote:
>> [groups]
>> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
>> developers = "CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North"
>>
>> [svn-test:/]
>> @svn-admin = rw
>> @developers = rw
>>
>> Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).
>>
>
> I wrote a script that will take group definitions in a directory
> server (LDAP as you say it) and reproduce those groups within
> Subversion's authz file so you can do group-level permissioning:
> http://www.thoughtspark.org/node/26 It will not fix the casing issue,
> which isn't really Subversion's fault because some systems are case
> sensitive.
>
>
>> What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file
>>
>> [groups]
>> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
>> developers = Giulio Troccoli
>>
>> [svn-test:/]
>> @svn-admin = rw
>> @developers = rw
>>
>> Is it at all possible?
>>
>
> Yes. You tell Apache what object attribute to use for the user id. I
> know you said you didn't find a good LDAP article for Apache but it
> just so happens I wrote one recently that describes every pieces of
> this: http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html
> Let me know if you are still having troubles.
>
>
Try this:
AuthLDAPRemoteUserAttribute userPrincipalName
which, if using Windows Active Directory, fills REMOTE_USER with e.g.:
cmcqueen@mycompany.com.au
Note that userPrincipalName must be listed as one of the attributes in
the AuthLDAPUrl line.
I think if you use that, then the case will be consistently whatever is
in the LDAP directory, rather than what the user logs in with.
Regards,
Craig McQueen
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1490139
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: LDAP, auth file and CN
Posted by Jeremy Whitlock <jc...@gmail.com>.
> [groups]
> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
> developers = "CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North"
>
> [svn-test:/]
> @svn-admin = rw
> @developers = rw
>
> Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).
I wrote a script that will take group definitions in a directory
server (LDAP as you say it) and reproduce those groups within
Subversion's authz file so you can do group-level permissioning:
http://www.thoughtspark.org/node/26 It will not fix the casing issue,
which isn't really Subversion's fault because some systems are case
sensitive.
> What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file
>
> [groups]
> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
> developers = Giulio Troccoli
>
> [svn-test:/]
> @svn-admin = rw
> @developers = rw
>
> Is it at all possible?
Yes. You tell Apache what object attribute to use for the user id. I
know you said you didn't find a good LDAP article for Apache but it
just so happens I wrote one recently that describes every pieces of
this: http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html
Let me know if you are still having troubles.
--
Take care,
Jeremy Whitlock
http://www.thoughtspark.org
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1483917
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].