You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Daniel F Garcia <dg...@kobold.com.au> on 2004/04/30 04:52:33 UTC
Active Directory authentication for Subversion
I'm trying to setup active directory authentication, but am not having any
luck. This is what I have done do far.
Setup a link from /etc/apache2/mods-available/auth_ldap.load to
/etc/apache2/mods-enabled/auth_ldap.load
Edited /etc/apache2/sites-enabled/svn with the following details
NameVirtualHost svn.kobold.local:80
<VirtualHost svn.kobold.local:80>
ServerAdmin webmaster@localhost
<IfModule mod_dav_svn.c>
<Location / >
DAV svn
SVNPath /var/lib/svn
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Subversion Repository"
LDAP_Server 10.2.2.1
LDAP_Port 389
Bind_DN cn=XXXXXXXXX,cn=Users,dc=kobold,dc=local
Bind_Pass XXXXXXXXX
Base_DN "OU=Staff,DC=kobold,DC=local"
Require valid-user
UID_Attr cn
#AuthUserFile /etc/apache2/dav_svn.passwd
SVNIndexXSLT "/Group/Business%20Support/IT/Subversion/svn.xsl"
</Location>
</IfModule>
ErrorLog /var/log/apache2/svnerror.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/svnaccess.log combined
ServerSignature On
</VirtualHost>
I then did an /etc/init.d/apache2 restart and it complained about the
LDAP_Server line. I double check the documentation and LDAP_Server is the
right setting name.
Also, is there a way for read-only access to be available to everyone (ie
don't prompt for a password), but commit and other repository modifications
requiring authentication ?
Daniel F Garcia
Project manager
Mobile: 0438 670 947
Phone: 07 5461 1120
Email: dgarcia@kobold.com.au
Address: 4 Lloyd George Street, Eastern Heights QLD 4305
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Active Directory authentication for Subversion
Posted by Chris Jensen <cj...@edex.com.au>.
Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not
having any
> luck. This is what I have done do far.
I never had any luck with LDAP against Active Directory either.
I ended up going with mod_auth_external, had it talk to PAM which in
turn uses Samba to auth against Active Directory - works fine, and was
much easier to setup that LDAP.
--
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au
Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall: 1-800-025 270 International: +61-2-4923 8222
Fax: (02) 4942 1991 International: +61-2-4942 1991
Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Active Directory authentication for Subversion
Posted by Dominic Anello <da...@danky.com>.
On 2004-05-01 14:30:17 +1000, Daniel F Garcia wrote:
> Thank you, thank you this worked really well. Also I replace your
> Limitexcept block with
>
> <LimitExcept GET>
> Require valid-user
> </LimitExcept>
>
> And now web browsing doesn't require authentication, but everything else
> does.
----8<----
Glad it worked. <LimitExcept MERGE> is required if you have something
like this in your AuthzSVN config file:
-------------------------
[/]
fred = r
[/foo]
fred = rw
[/bar]
fred = rw
-------------------------
Then if user fred tries to do something like:
$ svn cp http://server/svn/foo/baz http://server/svn/bar/baz -m "test"
He will get access denied by authz because svn sends a MERGE to the
common parent of /foo and /bar. The <LimitExcept> prevents MERGE
requests from being checked. I don't know if it has any security side
effects, but my repo is on an intranet anyway, so I'm not too concerned
about users hand-crafting malicious MERGE requests.
--
Current soundtrack: 'Kimya Dawson - My Cute Friend Sweet Princess - 6 -
The Beer'
RE: Active Directory authentication for Subversion
Posted by Daniel F Garcia <dg...@kobold.com.au>.
Thank you, thank you this worked really well. Also I replace your
Limitexcept block with
<LimitExcept GET>
Require valid-user
</LimitExcept>
And now web browsing doesn't require authentication, but everything else
does.
Daniel.
-----Original Message-----
From: Dominic Anello [mailto:danello@danky.com]
Sent: Saturday, 1 May 2004 1:53 PM
To: users@subversion.tigris.org
Subject: Re: Active Directory authentication for Subversion
On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having
> any luck. This is what I have done do far.
----8<---
Hi - just implemented this. Assuming you have mod_auth_ldap installed the
following should work:
<Location /ec-svn>
DAV svn
SVNPath "/usr/local/svn/ec-svn/repo"
AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
AuthLDAPURL
ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectCl
ass=user)
AuthLDAPBindDN "ISOLUTION\danello"
AuthLDAPBindPassword XXXXXXXX
AuthType Basic
AuthName "eCommerce SVN repository"
<LimitExcept MERGE>
Require valid-user
</LimitExcept>
</Location>
Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com is
the internet domain.
I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory and
adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes
Good luck!
--
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Active Directory authentication for Subversion
Posted by Dominic Anello <da...@danky.com>.
On 2004-04-30 14:52:33 +1000, Daniel F Garcia wrote:
> I'm trying to setup active directory authentication, but am not having any
> luck. This is what I have done do far.
----8<---
Hi - just implemented this. Assuming you have mod_auth_ldap installed
the following should work:
<Location /ec-svn>
DAV svn
SVNPath "/usr/local/svn/ec-svn/repo"
AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
AuthLDAPURL ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "ISOLUTION\danello"
AuthLDAPBindPassword XXXXXXXX
AuthType Basic
AuthName "eCommerce SVN repository"
<LimitExcept MERGE>
Require valid-user
</LimitExcept>
</Location>
Where hoth is the AD server, ISOLUTION is the Windows domain and idx.com
is the internet domain.
I'm not an LDAP guru, I just Googled for LDAP Apache Active Directory
and adopted the info found at the page below for my own use.
http://www.wlug.org.nz/ActiveDirectoryAuthenticationNotes
Good luck!
--
Current soundtrack: 'Kinnie Star - Tidy - 02 - Ophelia'