[users@httpd] Group authentication to AD

[Patricia A Moss <pm...@csc.com>]

I am having a problem with apache authenticating using an ldap group. I 
have version 2.2.3, of httpd, installed. 

My location block is configured as below:
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
Require valid-user
Require ldap-group CN=Active_Directory Group 
Name,OU=U.S.,OU=Groups,DC=domain,DC=com
#Require ldap-user pmoss
</Location>
 
I've configured my aliases, in my http.conf file, as follows:
<AuthnProviderAlias ldap ldap-FCGNET>
        AuthLDAPBindDN FCGNET\account_name
        AuthLDAPBindPassword xxxxxxxxxx
        AuthLDAPURL 
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
        AuthLDAPBindDN "CN=account_name,OU=Service 
Accounts,OU=Users,OU=Production,DC=domain,DC=com"
        AuthLDAPBindPassword xxxxxxxxx
        AuthLDAPURL 
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>


My goal(s):
 1. Allow only 1 specific, Active Directory, group access to the 
repository.
 2. Simultaneously, allow a single user account, that is not a member of 
the group, access to the repository


My attempts:
1. Configuration, as above, allows any valid user access to the 
repository; whether they are a member of the group or not.

2. If I remove "Require valid-user" then I receive an error when 
attempting access the repository and the error.log is as follows:
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377): [client 
20.8.xxx.18x] [27994] auth_ldap authenticate: using URL 
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474): [client 
20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss
[Mon Nov 15 14:38:15 2010] [crit] [client 20.8.232.187] configuration 
error:  couldn't check access.  No groups file?: /test_repo/

3. I tried a "LimitExcept" block, shown below.
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
#Require valid-user
# Limit R/W access to specified AD group
<LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=Active_Directory Group 
Name,OU=U.S.,OU=Groups,DC=domain,DC=com
</LimitExcept>
#Require ldap-user pmoss
</Location>
I could successfully gain access to the repository, and I am not a member 
of the group.

4. I uncommented the "Require valid-user" line and was, again, successful 
in attempting access; and I am not a member of the group.

5. If I change the AuthzLDAPAuthoritative to off, I can still gain access 
to the repository. 


In my httpd.conf, I have the following modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule alias_module modules/mod_alias.so


I've been searching around for answers but nothing seems to be solving my 
problem. 

I believe I have all the modules loaded that need to be there. 
I am not sure what I may be missing from my configuration or what may be 
mis-configured.  Hopefully someone can help me in achieving the goals.

 Thanks in advance.

PATI MOSS
System Engineer Sr. Professional
CSC