You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Dan Bahena <da...@optionmonster.com> on 2007/08/09 21:50:54 UTC

subversion + openldap

Hi

Here is my scenario:

I need to configure subversion with openldap as the authentication
server. 

I have the following:

CentOS release 5 (Final) with kernel 2.6.18-8.1.8.el5
openldap-2.3.27-5
httpd-2.2.3-7.el5.centos
subversion-1.4.4-0.1.el5.rf

I'm using openldap with a self sign certificate. 

My subversion.conf file looks like this:

-=--=-=-=-
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<Location /repos>
DAV svn
        # Require SSL connection for password protection.
       SSLRequireSSL 


       SVNPath /var/www/svn/repos
       AuthType Basic
       AuthName "Subversion repos"
       AuthLDAPURL ldaps://127.0.0.1:636/ou=People,dc=camhub,dc=com
       Require valid-user
</Location>
-=-=-=-=-=-

At the beginning I configured svn to use a file that stored the user
passwords created with htpasswd. All was working ok there. 

When I try do to a checkout, I get this message:
[dan@danb tmp]$ svn co https://camhub.hostname.com/repos
Error validating server certificate for
'https://camhub.hostname.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate hostname does not match.
Certificate information:
 - Hostname: localhost.localdomain
 - Valid: from Jun  5 13:54:58 2007 GMT until Jun  4 13:54:58 2008 GMT
 - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
SomeState, --
 - Fingerprint:
87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
(R)eject, accept (t)emporarily or accept (p)ermanently? p
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Password for 'dan': 
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Username: dan
Password for 'dan': 
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Username: svn
Password for 'svn': 
svn: PROPFIND request failed on '/repos'
svn: PROPFIND of '/repos': authorization failed
(https://camhub.hostname.com)

What am I missing?  I've googled around for a long time, have tried
different configurations/combinations and still have not get it to work.
Any help?

Thanks!
-- 
Dan Bahena <da...@optionmonster.com>
OptionMonster Holdings, Inc.

Re: subversion + openldap

Posted by John Peacock <jp...@rowman.com>.

Dan Bahena wrote:
>> When I try do to a checkout, I get this message:
>> [dan@danb tmp]$ svn co https://camhub.hostname.com/repos
>> Error validating server certificate for
>> 'https://camhub.hostname.com:443':
>>  - The certificate is not issued by a trusted authority. Use the
>>    fingerprint to validate the certificate manually!
>>  - The certificate hostname does not match.
>> Certificate information:
>>  - Hostname: localhost.localdomain
>>  - Valid: from Jun  5 13:54:58 2007 GMT until Jun  4 13:54:58 2008 GMT
>>  - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
>> SomeState, --
>>  - Fingerprint:
>> 87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
>> (R)eject, accept (t)emporarily or accept (p)ermanently? p

Just to make this absolutely clear, the above error messages have 
*absolutely* nothing to do with LDAP.  If you want to use a selfsigned 
certificate, you should make sure to follow exactly the same rules for 
an external CA signed certificate:

1) the hostname for that server must be set up correctly in DNS;
2) the certificate CN (Common Name) must match the hostname from #1.

Accepting the cert permanently will only really deal with the "not 
issued by a trusted authority" piece; you will probably still get errors 
for the "certificate hostname does not match" problem.  It is easy 
enough to set things up correctly.  I use an internal CA to sign 
certificates for internal sites and distribute the public-CA file to all 
of our internal users.

>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Password for 'dan': 
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Username: dan
>> Password for 'dan': 
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos

To resolve /this/ problem, what you should do is to get a LDAP client of 
some sort and attempt to authenticate outside of Subversion.  Only when 
you confirm that you have LDAP configured correctly to allow remote 
logins should you then try to use LDAP with Subversion.  I suspect that 
you are searching on the wrong attribute (I think the default is CN, but 
you may need to use UID instead).  FWIW, we are authenticating against a 
Novell eDirectory instance using LDAP just fine.

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: subversion + openldap

Posted by Dan Bahena <da...@optionmonster.com>.

Anybody that has experience doing this kind of setup?

Thanks!

On Thu, 2007-08-09 at 16:50 -0500, Dan Bahena wrote:
> Hi
> 
> Here is my scenario:
> 
> I need to configure subversion with openldap as the authentication
> server. 
> 
> I have the following:
> 
> CentOS release 5 (Final) with kernel 2.6.18-8.1.8.el5
> openldap-2.3.27-5
> httpd-2.2.3-7.el5.centos
> subversion-1.4.4-0.1.el5.rf
> 
> I'm using openldap with a self sign certificate. 
> 
> My subversion.conf file looks like this:
> 
> -=--=-=-=-
> LoadModule dav_svn_module     modules/mod_dav_svn.so
> LoadModule authz_svn_module   modules/mod_authz_svn.so
> 
> <Location /repos>
> DAV svn
>         # Require SSL connection for password protection.
>        SSLRequireSSL 
> 
> 
>        SVNPath /var/www/svn/repos
>        AuthType Basic
>        AuthName "Subversion repos"
>        AuthLDAPURL ldaps://127.0.0.1:636/ou=People,dc=camhub,dc=com
>        Require valid-user
> </Location>
> -=-=-=-=-=-
> 
> At the beginning I configured svn to use a file that stored the user
> passwords created with htpasswd. All was working ok there. 
> 
> When I try do to a checkout, I get this message:
> [dan@danb tmp]$ svn co https://camhub.hostname.com/repos
> Error validating server certificate for
> 'https://camhub.hostname.com:443':
>  - The certificate is not issued by a trusted authority. Use the
>    fingerprint to validate the certificate manually!
>  - The certificate hostname does not match.
> Certificate information:
>  - Hostname: localhost.localdomain
>  - Valid: from Jun  5 13:54:58 2007 GMT until Jun  4 13:54:58 2008 GMT
>  - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
> SomeState, --
>  - Fingerprint:
> 87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Password for 'dan': 
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Username: dan
> Password for 'dan': 
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Username: svn
> Password for 'svn': 
> svn: PROPFIND request failed on '/repos'
> svn: PROPFIND of '/repos': authorization failed
> (https://camhub.hostname.com)
> 
> What am I missing?  I've googled around for a long time, have tried
> different configurations/combinations and still have not get it to work.
> Any help?
> 
> Thanks!