You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Dan Bahena <da...@optionmonster.com> on 2007/08/09 21:50:54 UTC
subversion + openldap
Hi
Here is my scenario:
I need to configure subversion with openldap as the authentication
server.
I have the following:
CentOS release 5 (Final) with kernel 2.6.18-8.1.8.el5
openldap-2.3.27-5
httpd-2.2.3-7.el5.centos
subversion-1.4.4-0.1.el5.rf
I'm using openldap with a self sign certificate.
My subversion.conf file looks like this:
-=--=-=-=-
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /repos>
DAV svn
# Require SSL connection for password protection.
SSLRequireSSL
SVNPath /var/www/svn/repos
AuthType Basic
AuthName "Subversion repos"
AuthLDAPURL ldaps://127.0.0.1:636/ou=People,dc=camhub,dc=com
Require valid-user
</Location>
-=-=-=-=-=-
At the beginning I configured svn to use a file that stored the user
passwords created with htpasswd. All was working ok there.
When I try do to a checkout, I get this message:
[dan@danb tmp]$ svn co https://camhub.hostname.com/repos
Error validating server certificate for
'https://camhub.hostname.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: localhost.localdomain
- Valid: from Jun 5 13:54:58 2007 GMT until Jun 4 13:54:58 2008 GMT
- Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
SomeState, --
- Fingerprint:
87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
(R)eject, accept (t)emporarily or accept (p)ermanently? p
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Password for 'dan':
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Username: dan
Password for 'dan':
Authentication realm: <https://camhub.hostname.com:443> Subversion repos
Username: svn
Password for 'svn':
svn: PROPFIND request failed on '/repos'
svn: PROPFIND of '/repos': authorization failed
(https://camhub.hostname.com)
What am I missing? I've googled around for a long time, have tried
different configurations/combinations and still have not get it to work.
Any help?
Thanks!
--
Dan Bahena <da...@optionmonster.com>
OptionMonster Holdings, Inc.
Re: subversion + openldap
Posted by John Peacock <jp...@rowman.com>.
Dan Bahena wrote:
>> When I try do to a checkout, I get this message:
>> [dan@danb tmp]$ svn co https://camhub.hostname.com/repos
>> Error validating server certificate for
>> 'https://camhub.hostname.com:443':
>> - The certificate is not issued by a trusted authority. Use the
>> fingerprint to validate the certificate manually!
>> - The certificate hostname does not match.
>> Certificate information:
>> - Hostname: localhost.localdomain
>> - Valid: from Jun 5 13:54:58 2007 GMT until Jun 4 13:54:58 2008 GMT
>> - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
>> SomeState, --
>> - Fingerprint:
>> 87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
>> (R)eject, accept (t)emporarily or accept (p)ermanently? p
Just to make this absolutely clear, the above error messages have
*absolutely* nothing to do with LDAP. If you want to use a selfsigned
certificate, you should make sure to follow exactly the same rules for
an external CA signed certificate:
1) the hostname for that server must be set up correctly in DNS;
2) the certificate CN (Common Name) must match the hostname from #1.
Accepting the cert permanently will only really deal with the "not
issued by a trusted authority" piece; you will probably still get errors
for the "certificate hostname does not match" problem. It is easy
enough to set things up correctly. I use an internal CA to sign
certificates for internal sites and distribute the public-CA file to all
of our internal users.
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Password for 'dan':
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
>> Username: dan
>> Password for 'dan':
>> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
To resolve /this/ problem, what you should do is to get a LDAP client of
some sort and attempt to authenticate outside of Subversion. Only when
you confirm that you have LDAP configured correctly to allow remote
logins should you then try to use LDAP with Subversion. I suspect that
you are searching on the wrong attribute (I think the default is CN, but
you may need to use UID instead). FWIW, we are authenticating against a
Novell eDirectory instance using LDAP just fine.
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: subversion + openldap
Posted by Dan Bahena <da...@optionmonster.com>.
Anybody that has experience doing this kind of setup?
Thanks!
On Thu, 2007-08-09 at 16:50 -0500, Dan Bahena wrote:
> Hi
>
> Here is my scenario:
>
> I need to configure subversion with openldap as the authentication
> server.
>
> I have the following:
>
> CentOS release 5 (Final) with kernel 2.6.18-8.1.8.el5
> openldap-2.3.27-5
> httpd-2.2.3-7.el5.centos
> subversion-1.4.4-0.1.el5.rf
>
> I'm using openldap with a self sign certificate.
>
> My subversion.conf file looks like this:
>
> -=--=-=-=-
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
> <Location /repos>
> DAV svn
> # Require SSL connection for password protection.
> SSLRequireSSL
>
>
> SVNPath /var/www/svn/repos
> AuthType Basic
> AuthName "Subversion repos"
> AuthLDAPURL ldaps://127.0.0.1:636/ou=People,dc=camhub,dc=com
> Require valid-user
> </Location>
> -=-=-=-=-=-
>
> At the beginning I configured svn to use a file that stored the user
> passwords created with htpasswd. All was working ok there.
>
> When I try do to a checkout, I get this message:
> [dan@danb tmp]$ svn co https://camhub.hostname.com/repos
> Error validating server certificate for
> 'https://camhub.hostname.com:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> - The certificate hostname does not match.
> Certificate information:
> - Hostname: localhost.localdomain
> - Valid: from Jun 5 13:54:58 2007 GMT until Jun 4 13:54:58 2008 GMT
> - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
> SomeState, --
> - Fingerprint:
> 87:eb:e1:c4:e3:c4:66:4c:e8:6a:24:3a:bb:24:4a:73:6d:76:5e:2e
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Password for 'dan':
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Username: dan
> Password for 'dan':
> Authentication realm: <https://camhub.hostname.com:443> Subversion repos
> Username: svn
> Password for 'svn':
> svn: PROPFIND request failed on '/repos'
> svn: PROPFIND of '/repos': authorization failed
> (https://camhub.hostname.com)
>
> What am I missing? I've googled around for a long time, have tried
> different configurations/combinations and still have not get it to work.
> Any help?
>
> Thanks!