LDAP authentication, strange server behavior.

[Sean Russell <se...@gsk.com>]

Hi y'all,

I'm observing some behavior that is giving me trouble; I think I have a 
solution, but I'm curious about the possible causes of the problem, and think 
that the issue may be of interest to SVN developers.

The problem, in a nutshell, is that I have a repository that won't allow 
access to users authenticated with LDAP, but will allow authentication with 
other mod_auth Apache modules.  The curious thing about this situation is 
that LDAP authentication /does/ work for (some) other repositories running in 
the same server instance.

The repository giving me trouble is one that I've been lugging around for over 
a year, and it has survived numerous DB upgrades.  I didn't dump/load it for 
the my most recent Subversion upgrade (0.21.0), because it didn't seem 
necessary.

Attempts to use LDAP authentication against the "old" repository results in 
client-side messages of:

	svn ci -m "" build.xml
	ser's password:
	username: ser
	ser's password:
	svn: Authorization failed
	svn: Commit failed (details follow):
	svn: OPTIONS request failed on /svn/repos/rexml/branches/3.0
	svn: OPTIONS of /svn/repos/rexml/branches/3.0: authorization failed

and server-side messages of:

	user ser not found: /svn/repos/!svn/act/8dcaa690-2dbe-0310-bdb9-d8d87bbec96c

As I've said, if I change the Apache config to use basic htpasswd 
authentication, I can access the repository normally -- that is, perform 
restricted actions -- and if I create /new/ repositories, I'm able to 
authenticate with LDAP for them.

I've narrowed this down to being a difference between the BerkeleyDB 
repositories themselves, by process of elimination: the only difference in 
the apache configurations for the new and old repositories is the SVNPath 
(and the <Location>).  Both repositories are running in the same server 
instance.  The user and group ownerships and permissions on all files and 
directories in both repositories is the same.

The only thing I haven't tried (yet) is a dump/load -- which, BTW, I suspect 
will solve the problem.  However, I'm curious about the source of this 
problem -- this looks entirely like a DB issue, and I'm surprised that 
authentication issues are affecting (or being affected by) things at the DB 
layer.

Thanks,

--- SER

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: LDAP authentication, strange server behavior.

[Mukund <mu...@tessna.com>]

| will solve the problem.  However, I'm curious about the source of this 
| problem -- this looks entirely like a DB issue, and I'm surprised that 
| authentication issues are affecting (or being affected by) things at the DB 
| layer.

Can you add the httpd.conf file and any other .htaccess files which are
involved for the repository location to your report?

Mukund


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: LDAP authentication, strange server behavior.

[Greg Stein <gs...@lyra.org>]

On Wed, May 21, 2003 at 08:22:28PM -0400, Sean E. Russell wrote:
> On Wednesday 21 May 2003 15:15, Sander Striker wrote:
> > > The only thing I haven't tried (yet) is a dump/load -- which, BTW, I
> > > suspect will solve the problem.  However, I'm curious about the source of
> ...
> > Dumping and loading won't make any difference whatsoever.  This sounds like
> > a misconfig of httpd.
> 
> You're right.  I'm still not sure why, but changing the <Location> path made 
> it work, so at this point I'm assuming it is an Apache configuration issue.  
> I have no idea why one authentication mechanism works while the other fails, 
> when both work on other repositories on the same server.

I've seen problems where a person's docroot contains one or more of the path
elements in the repository's Location path.

For example:

<Location /repos/svn>
  ...
</Location>

If you have a repos/svn/ directory in your docroot, then funny things can
happen. I think just a repos/ will be fine.

But take a look. See if your old (borken) location had a mapping elsewhere
in your config or within the docroot. That may have been the problem.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: LDAP authentication, strange server behavior.

["Sean E. Russell" <se...@germane-software.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 21 May 2003 15:15, Sander Striker wrote:
> > The only thing I haven't tried (yet) is a dump/load -- which, BTW, I
> > suspect will solve the problem.  However, I'm curious about the source of
...
> Dumping and loading won't make any difference whatsoever.  This sounds like
> a misconfig of httpd.

You're right.  I'm still not sure why, but changing the <Location> path made 
it work, so at this point I'm assuming it is an Apache configuration issue.  
I have no idea why one authentication mechanism works while the other fails, 
when both work on other repositories on the same server.

At this point, it seems to have nothing to do with Subversion.  Sorry for the 
noise.

- -- 
### SER   Deutsch|Esperanto|Francaise|Linux|Java|Ruby|Aikido|Dirigibles ###
### http://www.germane-software.com/~ser  jabber.com:ser  ICQ:83578737  ###
### GPG: http://www.germane-software.com/~ser/Security/ser_public.gpg   ###
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+zBhFP0KxygnleI8RAvRkAKDKZG1uE7Adr/HIvYM1gCZmtriDnwCeOsHW
vT0DmskSGolQId5bra+mA/M=
=WgHO
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: LDAP authentication, strange server behavior.

[Sander Striker <st...@apache.org>]

> From: Sean Russell [mailto:sean.2.russell@gsk.com]
> Sent: Wednesday, May 21, 2003 8:59 PM

[...]
> The only thing I haven't tried (yet) is a dump/load -- which, BTW, I suspect 
> will solve the problem.  However, I'm curious about the source of this 
> problem -- this looks entirely like a DB issue, and I'm surprised that 
> authentication issues are affecting (or being affected by) things at the DB 
> layer.

Dumping and loading won't make any difference whatsoever.  This sounds like
a misconfig of httpd.


Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org