Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

Tags:

svn

apache

active-directory

ldap

apache2

I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM) 

CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

and the members of the group are in this record like this:

member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

If you look up my record in LDAP, you'll see:

memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

Which reminds me, can anyone recommend a good Apache book?

like image 356
David W. Avatar asked Apr 13 '11 17:04

David W.

1 Answers

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

like image 141
jbruni Avatar answered Oct 20 '22 04:10

jbruni
Sign in to Comment

Related questions

Designer.cs files and source control
In SharpSvn, what's SvnClient.getinfo return value?
Jenkins - passing updated revision to downstream jobs
SVN CornerStone Error: Can not commit file
Commits to SVN branches affects trunk as well
Find a specific SVN commit by comment and/or author
tortoise svn filter logs by revisions
What's the difference between Subclipse Get Contents and Get Revision?
How to generate documentation by running a command with every svn commit
How to combine SVN commits?
svn log missing revisions
How can I access the commited file from a Subversion pre-commit hook in Perl?
Hide a string in a file before git commit
git svn windows linux whitespace problems
Can Subversion report the percentage of code changed over time?
Subclipse: Updating Change Sets for SVNStatusSubscriber (UPDATED - clock sync issue)
Configure vim-diff to show different colors when using it for svn-diff
Don't show .svn folders in Eclipse
Server certificate verification failed
Local only, revision/version/source control

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!