You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Richard Orta <ro...@handango.com> on 2007/08/28 04:10:58 UTC

Dual Authentication (LDAP/file authentication)

Hello!

We are using Subversion and Apache with LDAP for authentication. We have
a good configuration for accessing the LDAP service. For example, one of
our project repositories would use a configuration similar to the
following:

 

LoadModule dav_svn_module     modules/mod_dav_svn.so

LoadModule authz_svn_module   modules/mod_authz_svn.so

 

<Location /project1>

        DAV svn

        SVNPath /home/svn/repositories/project1

        AuthType Basic

        Options Indexes FollowSymLinks

        AllowOverride None

        Order Deny,Allow

        Deny from all

        Allow from mycompany.com

        AuthName "svnauthority"

        SVNAutoversioning on

        AuthLDAPURL
ldap://ldap-server.mycompany.com:389/OU=Departments,OU=ManagedUsers,DC=m
ycompany,DC=com?sAMAccountName

        AuthLDAPBindDN "CN=svnauthority,CN=Users,DC=mycompany,DC=com"

        AuthLDAPBindPassword "********"

        Require valid-user

</Location>

 

 

But, now we have a need for an account that is not tied to LDAP. This
pseudo-account will be created locally on the Unix server running
Apache/Subversion by using htpasswd. In other words, it will not have an
LDAP or /etc/passwd entry.  It will only exist in the password file
(created by htpasswd) . So, we want the server to check LDAP first, then
if the account is not found, check the local file for the password.

 

Does any know how to configure Subversion/Apache to allow for
authentication using both LDAP and the local password file?

 

If this is already in the mail list, my apologies. I've been looking all
day and have not found it, yet. 

 

Thanks!

--Richard

Re: Dual Authentication (LDAP/file authentication)

Posted by David Ferguson <fe...@gmail.com>.

Richard,

We have this exact problem at my company.  We ended up adding a second
<Location> section that points to the same repository but uses a password
file instead of LDAP.  The location is slightly different (in your case it
would be "project1_rel".  With this method, normal users use the standard
URL: http://svn.mycompany.com/project1.  The special, password file users
use the other URL: http://svn.mycompany.com/project1_rel.  This works for us
because the special users are only accessing the repository via scripted
cron jobs--the URL can be easily changed on the fly.

However, I would love to see a better solution that doesn't require a second
<Location> directive.  Anyone?

thanks,
David


On 8/28/07, Richard Orta <ro...@handango.com> wrote:
>
>  Hello!
>
> We are using Subversion and Apache with LDAP for authentication. We have a
> good configuration for accessing the LDAP service. For example, one of our
> project repositories would use a configuration similar to the following:
>
>
>
> LoadModule dav_svn_module     modules/mod_dav_svn.so
>
> LoadModule authz_svn_module   modules/mod_authz_svn.so
>
>
>
> <Location /project1>
>
>         DAV svn
>
>         SVNPath /home/svn/repositories/project1
>
>         AuthType Basic
>
>         Options Indexes FollowSymLinks
>
>         AllowOverride None
>
>         Order Deny,Allow
>
>         Deny from all
>
>         Allow from mycompany.com
>
>         AuthName "svnauthority"
>
>         SVNAutoversioning on
>
>         AuthLDAPURL ldap://ldap-
> server.mycompany.com:389/OU=Departments,OU=ManagedUsers,DC=mycompany,DC=com?sAMAccountName
>
>         AuthLDAPBindDN "CN=svnauthority,CN=Users,DC=mycompany,DC=com"
>
>         AuthLDAPBindPassword "********"
>
>         Require valid-user
>
> </Location>
>
>
>
>
>
> But, now we have a need for an account that is not tied to LDAP. This
> pseudo-account will be created locally on the Unix server running
> Apache/Subversion by using htpasswd. In other words, it will not have an
> LDAP or /etc/passwd entry.  It will only exist in the password file (created
> by htpasswd) . So, we want the server to check LDAP first, then if the
> account is not found, check the local file for the password.
>
>
>
> Does any know how to configure Subversion/Apache to allow for
> authentication using both LDAP and the local password file?
>
>
>
> If this is already in the mail list, my apologies. I've been looking all
> day and have not found it, yet.
>
>
>
> Thanks!
>
> --Richard
>
>
>
>
>
>
>

Re: Dual Authentication (LDAP/file authentication)

Posted by Rainer Sokoll <R....@intershop.de>.

On Mon, Aug 27, 2007 at 11:10:58PM -0500, Richard Orta wrote:

> But, now we have a need for an account that is not tied to LDAP. This
> pseudo-account will be created locally on the Unix server running
> Apache/Subversion by using htpasswd. In other words, it will not have an
> LDAP or /etc/passwd entry.  It will only exist in the password file
> (created by htpasswd) . So, we want the server to check LDAP first, then
> if the account is not found, check the local file for the password.

Since you seem to use 2.2.x:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authzldapauthoritative

HTH,
Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org