Reputation: 936
OpenLDAP and SVN on MAC OS X without Kerberos
I all! I have a SVN server (running on MAC OS X Captain). I have also configured OpenLDAP, so that when users access the SVN server with a userName and Password, they access SVN repositories upon success (w.r.t openLDAP database entries).
However, when users try to log in to the SVN authentication fails. I run sldap in debug mode to figure out what is going wrong. I found out that user&pass match LDAP database entries. However, what I additionally found is that it tries to authenticate users with Kerberos. I only want SVN & LDAP. Anyone knows how can I disable Kerberos attempting to authenticate?
Thanks in advance!
Leticia
httpd.config snipped (apache 2.4):
<Location /svn/Thesis>
DAV svn
SVNPath /var/svn/repositories/Thesis
AuthType Basic
AuthName "Repository"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Manager,dc=company,dc=org"
AuthLDAPBindPassword pasword1
AuthLDAPURL ldap://158.227.115.33:389/dc=company,dc=org?cn?sub?(objectclass=*)
Require ldap-group cn=ActiveMember,ou=Groups,o=company,dc=company,dc=org
</Location>
Slap.conf
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/inetorgperson.schema
include /private/etc/openldap/schema/nis.schema
include /private/etc/openldap/schema/samba.schema
modulepath /usr/libexec/openldap
moduleload back_bdb.la
# rootdn can always read and write EVERYTHING!
access to dn.subtree="o=company,dc=company,dc=org"
by dn.base="cn=Manager,dc=company,dc=org" write
by self write
by users read
by anonymous auth
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "dc=company,dc=org"
rootdn "cn=Manager,dc=company,dc=org"
rootpw {SSHA}dr/1Yu+mRLm6PAHtp+UMqJuJMlMMTFQd
directory /private/var/db/openldap/openldap-data
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
Ldap.conf
URI ldap://127.0.0.1/
BASE dc=company,dc=org
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT demand
Log when users try to log in to the SVN (run slapd -d 255)
………
56ec1897 do_bind: version=3 dn="cn=John,ou=Members,o=company,dc=company,dc=org" method=128
56ec1897 ==> bdb_bind: dn: cn=John,ou=Members,o=company,dc=company,dc=org
56ec1897 bdb_dn2entry("cn=John,ou=members,o=company,dc=company,dc=org")
56ec1897 => bdb_search
56ec1897 bdb_dn2entry("cn=kerberoskdc,cn=config,dc=company,dc=org")
56ec1897 => bdb_dn2id("cn=config,dc=company,dc=org")
56ec1897 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
56ec1897 => access_allowed: disclose access to "dc=company,dc=org" "entry" requested
56ec1897 => dn: [1] o=company,dc=company,dc=org
56ec1897 => acl_get: [2] attr entry
56ec1897 => acl_mask: access to entry "dc=company,dc=org", attr "entry" requested
56ec1897 => acl_mask: to all values by "cn=kerberoskdc,cn=config,dc=company,dc=org", (=0)
56ec1897 <= check a_dn_pat: self
56ec1897 <= check a_dn_pat: users
56ec1897 <= acl_mask: [2] applying read(=rscxd) (stop)
56ec1897 <= acl_mask: [2] mask: read(=rscxd)
56ec1897 => slap_access_allowed: disclose access granted by read(=rscxd)
56ec1897 => access_allowed: disclose access granted by read(=rscxd)
56ec1897 send_ldap_result: conn=-1 op=0 p=0
56ec1897 send_ldap_result: err=10 matched="dc=company,dc=org" text=""
56ec1897 Entry *odusers_copy_entry(Operation *): Unable to locate cn=kerberoskdc,cn=config,dc=company,dc=org (32)
56ec1897 odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=company,dc=org
56ec1897 odusers_krb_auth: could not retrieve krb realm while authing John
56ec1897 send_ldap_result: conn=1000 op=2 p=3
56ec1897 send_ldap_result: err=50 matched="" text=""
56ec1897 send_ldap_response: msgid=3 tag=97 err=50
…….
Upvotes: 0
Views: 650
Answers (1)
Reputation: 936
I finally solved it!
Apparently if LDAP backend is bdb, Kerberos is automatically called (don't know exactly how/why). However, when I change it to ldif, there aren't any calls to Kerberos, and everything works as expected. The steps I performed are as follows:
- Using Apache directory Studio LDAP browser, I exported my DIT to a ldif file.
- I stopped slapd, and changed line "database bdb" to "database ldif" (in slap.conf). I also removed all the files from the db directory, except DATABASE_CONFIG.
- I started slapd, and again, using the Apache directory studio I imported the ldif file previously created (in step 1).
- voilà :-)
Upvotes: 4
Related Questions
- How to have 'git log' show filenames like 'svn log -v'
- Working copy XXX locked and cleanup failed in SVN
- OpenLDAP configuration using posixGroup and groupOfNames
- How do I migrate an SVN repository with history to a new Git repository?
- How do I ignore a directory with SVN?
- What do "branch", "tag" and "trunk" mean in Subversion repositories?
- OpenLDAP Custom Attribute: "Undefined attribute type"
- Modify memberUid attribute in openldap to be case insensitive