Can't authenticate Subversion user using Apache and LDAP

Question

I'm trying to use LDAP authentication for a Subversion repository, accessed via Apache HTTP Server. Whatever I try, Apache generates the following error message:

authentication failed; URI /repos/branches/my-branch [ldap_search_ext_s() for user failed][Operations Error]

I've used the AD explorer from Sysinternals to connect to my AD server, and can see data in there, so I presume it's a problem with my LDAP URL search string. I've tried several variations, but always get the above error. Here's what I have in my httpd.conf. Any suggestions or ideas to diagnose this would be appreciated.

<Location /repos>
    DAV svn
    SVNPath C:\repos
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap
    AuthName "IT Subversion repository"
    AuthLDAPURL "ldap://x.y.z.com:389/DC=y,DC=z,DC=com?sAMAccountName?sub?(objectClass=user)" NONE    
    Require valid-user
</Location>

Answer 1

You might want to try running your search through ldapsearch in command line as it provides more information when facing an error:

ldapsearch -x -b "base_dn" -H "ldap_url" [search term]

In my case when I faced the same error, I needed to make a user binding in order to get access to the directory and carry out a search.

Answer 2

My problem was sold by changing port from 389 to 3268. Port 389 looks only for Local Direcotry but 3268 looks for Global Directory. Confusing is that in LDAP browser (JXplorer for example) works both ports properly.

Answer 3

Had the same problem, you need to specify in /etc/ldap/ldap.conf:

REFERRALS off

Solved my problem.

Answer 4

I had something simular, although stranger. At first it when testing, but after some Apache restarts and configuration fine-tuning it stopped working.

After a long search on the internet, it appears I had to change the port from 389 to 3268. This solved my "[ldap_search_ext_s() for user failed][Operations Error]" errors for some reason. I still don't understand why, or why it worked at first, but it did for me.

Answer 5

LDAPReferrals just plain didn't exist in earlier versions, so there's nothing to turn off, really...

I guess if you managed to match a newer LDAP/Apache which has LDAP Referral as an option, and were trying to use and older AD, you'd have to turn it off.

For anybody else finding this, you should try these in order: telnet YOUR_AD_SERVER 389

Either you get a Connect and something like Escape character is ~, or you've got the wrong name/IP for your AD, or your firewalls are blocking access from your computer to AD on port 389.

Next, install the openldap command line tools, openldap-clients, and see if you can use ldapsearch (read the man page) to perform a search directly to your AD server, without Apache in the middle.

Answer 6

I had this problem recently you need to add 3 additional parameters

AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"
AuthLDAPBindPassword some_secret_password

Like jgnagy suggested, also it also helped me when i added

Satisfy Any 

Answer 7

It appears that you're using Active Directory, which does not allow anonymous binding. Try adding the following:

# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account.
AuthLDAPBindDN "CN=someuser,CN=Users,DC=y,DC=z,DC=com"

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword some_secret_password