I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:
What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.
The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)
CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
and the members of the group are in this record like this:
member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM
If you look up my record in LDAP, you'll see:
memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub
What I'd like to do is to login as dweintraub
(which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany
domain.
I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.
Which reminds me, can anyone recommend a good Apache book?
If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.
Here is the minimum needed for AD ldap authentication and authorization:
<Location /path/to/repo/>
AuthType basic
AuthName "My Repository"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "DN of service account allowed to search"
AuthLDAPBindPassword "Password of service account allowed to search"
Require ldap-group DN of group allowed access to repo
</Location>
For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With