You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dale Bohl <DB...@masoncompaniesinc.com> on 2010/11/18 21:51:54 UTC

[users@httpd] Nested AD groups with Require group

Hello,

    I've been banging my head on this one for days now.

Are nested AD groups supported with mod_auth_pam?

I've googled this issue but it appears not many admins are using this
and/or
it could possibly be a bug in the apache module.

Config
------
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Server version: Apache/2.2.3
svn, version 1.6.12 (r955767)
Windows 2008 R2

   It appears that we cannot use Active Directory Permissions Groups
with the s-svn server for Subversion repository authentication and
authorization
but yet AD Role groups work just fine.

subversion.conf config for "puppet" repository
------------------------------------------------
#================puppet repo===================================
<Location /puppet>
   DAV svn
   SVNPath /repos/puppet
   AuthPAM_Enabled on
   AuthType Basic
   AuthName "Subversion Authentication to AD"

   # Limit R/W access to certain role groups
   <LimitExcept GET PROPFIND OPTIONS REPORT>
#      Require group SVN-Puppet-ReadWrite-P
      Require group IT-InfrastructureTeam-SystemAdministrator-R
   </LimitExcept>

   # Limit R/O access to certain role group
   <Limit GET PROPFIND OPTIONS REPORT>
#      Require group SVN-Puppet-ReadWrite-P
      Require group IT-InfrastructureTeam-SystemAdministrator-R
   </Limit>
</Location>

The interesting thing is that AD Role Groups appear to work fine within
the Location directive config above which shows the role group for which
I'm a member.

If the above config is changed to use the Permissions group shown
commented
out, authentication doesn't work and when that happens I'm seeing the
following
error in ssl_error_log.

[Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in
required group(s).

So, even though the following User > Role > Permissions > Resource
association
exists, the group with '-P' in it above won't allow dpb to authenticate
for repo access.

dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and
IT-InfrastructureTeam-SystemAdministrator-R is a member of
SVN-Puppet-ReadWrite-P AD
group

Any help would be greatly appreciated.

--------
Dale Bohl
Sr. Systems Administrator
Mason Companies, Inc.
dbohl@masoncompaniesinc.com
(715)-720-4382



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org