You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dale Bohl <DB...@masoncompaniesinc.com> on 2010/11/18 21:51:54 UTC
[users@httpd] Nested AD groups with Require group
Hello,
I've been banging my head on this one for days now.
Are nested AD groups supported with mod_auth_pam?
I've googled this issue but it appears not many admins are using this
and/or
it could possibly be a bug in the apache module.
Config
------
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Server version: Apache/2.2.3
svn, version 1.6.12 (r955767)
Windows 2008 R2
It appears that we cannot use Active Directory Permissions Groups
with the s-svn server for Subversion repository authentication and
authorization
but yet AD Role groups work just fine.
subversion.conf config for "puppet" repository
------------------------------------------------
#================puppet repo===================================
<Location /puppet>
DAV svn
SVNPath /repos/puppet
AuthPAM_Enabled on
AuthType Basic
AuthName "Subversion Authentication to AD"
# Limit R/W access to certain role groups
<LimitExcept GET PROPFIND OPTIONS REPORT>
# Require group SVN-Puppet-ReadWrite-P
Require group IT-InfrastructureTeam-SystemAdministrator-R
</LimitExcept>
# Limit R/O access to certain role group
<Limit GET PROPFIND OPTIONS REPORT>
# Require group SVN-Puppet-ReadWrite-P
Require group IT-InfrastructureTeam-SystemAdministrator-R
</Limit>
</Location>
The interesting thing is that AD Role Groups appear to work fine within
the Location directive config above which shows the role group for which
I'm a member.
If the above config is changed to use the Permissions group shown
commented
out, authentication doesn't work and when that happens I'm seeing the
following
error in ssl_error_log.
[Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in
required group(s).
So, even though the following User > Role > Permissions > Resource
association
exists, the group with '-P' in it above won't allow dpb to authenticate
for repo access.
dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and
IT-InfrastructureTeam-SystemAdministrator-R is a member of
SVN-Puppet-ReadWrite-P AD
group
Any help would be greatly appreciated.
--------
Dale Bohl
Sr. Systems Administrator
Mason Companies, Inc.
dbohl@masoncompaniesinc.com
(715)-720-4382
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org