Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)

CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

and the members of the group are in this record like this:

member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

If you look up my record in LDAP, you'll see:

memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

Which reminds me, can anyone recommend a good Apache book?

like image 356
David W. Avatar asked Apr 13 '11 17:04

David W.


1 Answers

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

like image 141
jbruni Avatar answered Oct 20 '22 04:10

jbruni