You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Snay, Marc" <Ma...@turner.com> on 2006/09/11 14:31:27 UTC
LDAP
Hi,
I am a new subscriber to the mailing list, so please forgive me if this
has been solved before...
I am trying to configure my Subversion 1.3 running on Ubuntu 6.06 to use
LDAP authentication. I have found a couple of sites through Google that
offer how-to's on this, but none of them have solved my problem yet. I
have also run my configuration and resulting error message through our
'LDAP gurus' and all I get back is 'sorry, I don't know anything about
Subversion' or 'sorry, I don't know anything about DAV'.
The error message I get is:
[Mon Aug 21 15:08:41 2006] [warn] [client xxx.xxx.xxx.xxx] [18875]
auth_ldap authenticate: user xxx authentication failed; URI
/svn/!svn/act/4630029f-3bd4-b14f-9fe5-4bb880f9ebdf [LDAP:
ldap_simple_bind_s() failed][Invalid credentials]
Here is a snippet of my apache2 conf file that deals with setting up the
/Location
<Location /svn>
DAV svn
SVNPath /repository
AuthType Basic
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "SVN Repository"
AuthLDAPURL "ldap://servername.company.com:389/"
AuthLDAPBindDN
"CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
AuthLDAPBindPassword "xxxxx"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
My problem might be specific to my company in the CN and DC names, but
I've run those be multiple people internally and they feel that all of
that information is correct. Based on the ldap_simple_bind_s() error
message, I'm not even sure it's getting to that point before failing.
Any ideas?
Thanks,
Marc
RE: LDAP
Posted by "Snay, Marc" <Ma...@turner.com>.
Great, thank you everyone for your responses on this issue...
I just got it fixed. I ended up having an error in the
/etc/ldap/ldap.conf file. Once I added the proper URI and BASE settings
to that file, and made the changes that this list recommended, it works
now.
Marc
-----Original Message-----
From: Christian Neumair [mailto:chris@gnome-de.org]
Sent: Monday, September 11, 2006 5:23 PM
To: Snay, Marc
Cc: users@subversion.tigris.org
Subject: Re: LDAP
Am Montag, den 11.09.2006, 10:31 -0400 schrieb Snay, Marc:
> Hi,
>
>
>
> I am a new subscriber to the mailing list, so please forgive me if
> this has been solved before...
>
>
>
> I am trying to configure my Subversion 1.3 running on Ubuntu 6.06 to
> use LDAP authentication. I have found a couple of sites through
> Google that offer how-to's on this, but none of them have solved my
> problem yet. I have also run my configuration and resulting error
> message through our 'LDAP gurus' and all I get back is 'sorry, I don't
> know anything about Subversion' or 'sorry, I don't know anything about
> DAV'.
>
>
>
> The error message I get is:
>
>
>
> [Mon Aug 21 15:08:41 2006] [warn] [client xxx.xxx.xxx.xxx] [18875]
> auth_ldap authenticate: user xxx authentication failed; URI /svn/!
> svn/act/4630029f-3bd4-b14f-9fe5-4bb880f9ebdf [LDAP:
> ldap_simple_bind_s() failed][Invalid credentials]
>
>
>
> Here is a snippet of my apache2 conf file that deals with setting up
> the /Location
>
>
>
> <Location /svn>
>
> DAV svn
>
> SVNPath /repository
>
> AuthType Basic
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> order allow,deny
>
> allow from all
>
> AuthName "SVN Repository"
>
> AuthLDAPURL "ldap://servername.company.com:389/"
>
> AuthLDAPBindDN
> "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
>
> AuthLDAPBindPassword "xxxxx"
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>
> Require valid-user
>
> </LimitExcept>
>
> </Location>
>
>
>
> My problem might be specific to my company in the CN and DC names, but
> I've run those be multiple people internally and they feel that all of
> that information is correct. Based on the ldap_simple_bind_s() error
> message, I'm not even sure it's getting to that point before failing.
First of all, maybe you should add a
Satisfy all
directive to ensure that nobody is granted access by the "access all"
directive without checking for the valid user auth.
Also ensure that the specified bind dn is really valid.
Your error message seems to be quite unambiguous, so the specified DN
does not exist. You may want to replace
"CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
by
"cn=authorized_user_name,ou=Users,dc=company_name,dc=com".
I've never checked back whether the "subkeys" are case-sensitive, the
"cn"=>"ou" change is probably the key point.
BTW: Assuming that you use simple auth, you can check the validity of
DNs using a dummy query like
ldapsearch -x -D \
"CN=authorized_user_name,CN=Users,DC=company_name,DC=com" -W
If you are in a replicated LDAP environment, a -h argument might also be
required.
Note that I've listed various pitfalls, while I strongly suppose the
"ou" issue is relevant here, but this email might serve as a good
reference for LDAP/SVN/Apache issues for mailing list archives.
--
Christian Neumair <ch...@gnome-de.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: LDAP
Posted by Christian Neumair <ch...@gnome-de.org>.
Am Montag, den 11.09.2006, 10:31 -0400 schrieb Snay, Marc:
> Hi,
>
>
>
> I am a new subscriber to the mailing list, so please forgive me if
> this has been solved before…
>
>
>
> I am trying to configure my Subversion 1.3 running on Ubuntu 6.06 to
> use LDAP authentication. I have found a couple of sites through
> Google that offer how-to’s on this, but none of them have solved my
> problem yet. I have also run my configuration and resulting error
> message through our ‘LDAP gurus’ and all I get back is ‘sorry, I don’t
> know anything about Subversion’ or ‘sorry, I don’t know anything about
> DAV’.
>
>
>
> The error message I get is:
>
>
>
> [Mon Aug 21 15:08:41 2006] [warn] [client xxx.xxx.xxx.xxx] [18875]
> auth_ldap authenticate: user xxx authentication failed; URI /svn/!
> svn/act/4630029f-3bd4-b14f-9fe5-4bb880f9ebdf [LDAP:
> ldap_simple_bind_s() failed][Invalid credentials]
>
>
>
> Here is a snippet of my apache2 conf file that deals with setting up
> the /Location
>
>
>
> <Location /svn>
>
> DAV svn
>
> SVNPath /repository
>
> AuthType Basic
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> order allow,deny
>
> allow from all
>
> AuthName "SVN Repository"
>
> AuthLDAPURL "ldap://servername.company.com:389/"
>
> AuthLDAPBindDN
> "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
>
> AuthLDAPBindPassword "xxxxx"
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>
> Require valid-user
>
> </LimitExcept>
>
> </Location>
>
>
>
> My problem might be specific to my company in the CN and DC names, but
> I’ve run those be multiple people internally and they feel that all of
> that information is correct. Based on the ldap_simple_bind_s() error
> message, I’m not even sure it’s getting to that point before failing.
First of all, maybe you should add a
Satisfy all
directive to ensure that nobody is granted access by the "access all"
directive without checking for the valid user auth.
Also ensure that the specified bind dn is really valid.
Your error message seems to be quite unambiguous, so the specified DN
does not exist. You may want to replace
"CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
by
"cn=authorized_user_name,ou=Users,dc=company_name,dc=com".
I've never checked back whether the "subkeys" are case-sensitive, the
"cn"=>"ou" change is probably the key point.
BTW: Assuming that you use simple auth, you can check the validity of
DNs using a dummy query like
ldapsearch -x -D \
"CN=authorized_user_name,CN=Users,DC=company_name,DC=com" -W
If you are in a replicated LDAP environment, a -h argument might also be
required.
Note that I've listed various pitfalls, while I strongly suppose the
"ou" issue is relevant here, but this email might serve as a good
reference for LDAP/SVN/Apache issues for mailing list archives.
--
Christian Neumair <ch...@gnome-de.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: LDAP
Posted by sv...@mobsol.be.
Some time ago I sent our ldap configuration to this list, you can find it here:
http://svn.haxx.se/users/archive-2005-12/1124.shtml
Quoting "Snay, Marc" <Ma...@turner.com>:
> Here is a snippet of my apache2 conf file that deals with setting up the
> <Location /svn>
> DAV svn
> SVNPath /repository
> AuthType Basic
> Options Indexes FollowSymLinks
> AllowOverride None
> order allow,deny
> allow from all
> AuthName "SVN Repository"
> AuthLDAPURL "ldap://servername.company.com:389/"
> AuthLDAPBindDN
> "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
> AuthLDAPBindPassword "xxxxx"
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require valid-user
> </LimitExcept>
> </Location>
I see a difference in AuthLDAPURL, which should contain a query for a certain
type of user. AuthLDAPEnabled and AuthLDAPAuthoritive are default on so you
don't need to specify them explicitely.
Lieven.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: LDAP
Posted by Frank Gruman <fg...@verizon.net>.
Snay, Marc wrote:
>
> Hi,
>
>
>
> I am a new subscriber to the mailing list, so please forgive me if
> this has been solved before...
>
>
>
> I am trying to configure my Subversion 1.3 running on Ubuntu 6.06 to
> use LDAP authentication. I have found a couple of sites through
> Google that offer how-to's on this, but none of them have solved my
> problem yet. I have also run my configuration and resulting error
> message through our 'LDAP gurus' and all I get back is 'sorry, I don't
> know anything about Subversion' or 'sorry, I don't know anything about
> DAV'.
>
>
>
> The error message I get is:
>
>
>
> [Mon Aug 21 15:08:41 2006] [warn] [client xxx.xxx.xxx.xxx] [18875]
> auth_ldap authenticate: user xxx authentication failed; URI
> /svn/!svn/act/4630029f-3bd4-b14f-9fe5-4bb880f9ebdf [LDAP:
> ldap_simple_bind_s() failed][Invalid credentials]
>
>
>
> Here is a snippet of my apache2 conf file that deals with setting up
> the /Location
>
>
>
> <Location /svn>
>
> DAV svn
>
> SVNPath /repository
>
> AuthType Basic
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> order allow,deny
>
> allow from all
>
> AuthName "SVN Repository"
>
> AuthLDAPURL "ldap://servername.company.com:389/"
>
> AuthLDAPBindDN "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
>
> AuthLDAPBindPassword "xxxxx"
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>
> Require valid-user
>
> </LimitExcept>
>
> </Location>
>
>
>
> My problem might be specific to my company in the CN and DC names, but
> I've run those be multiple people internally and they feel that all of
> that information is correct. Based on the ldap_simple_bind_s() error
> message, I'm not even sure it's getting to that point before failing.
>
>
>
> Any ideas?
>
>
>
> Thanks,
>
> Marc
>
Your AuthLDAPURL is not complete. You need to stretch it all the way
out, including specifying what value to search for and do authentication
against.
Here is just the LDAP portion of my configuration :
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL
ldap://my.domain.int:3268/dc=my,dc=domain,dc=int?sAMAccountName??(objectClass=*)
AuthLDAPBindDN "CN=ldap_user,OU=CS Users,OU=CS,DC=my,DC=domain,DC=int"
AuthLDAPBindPassword passwd_without_quotes_or_spaces
Note - I am using my global catalog port rather than the LDAP port
because there is a separate issue with references in LDAP that affects me.
Regards,
Frank