Reputation: 117
Apache SVN Authorize to Active Directory Group
I am working on setting up an Apache SVN system that will use our company's Active Directory to control access to the repositories. Note that I am not an IT guy, nor do I play one on TV.
IT gave me a read-only account so I can query the server. That seems to be working fine and I can query on the command line with ldapsearch as well as with Apache Directory Studio.
In our active directory, we have our users under something like
OU=Users,OU=DIVISION,DC=INTRANET,DC=CORP
with the username contained in the sAMAccountName attribute (for example - srogers). We then have a set of groups under OU=Groups,OU=DIVISION,DC=INTRANET,DC=CORP, and each group has a number of member attributes with the distinguished name.
Group - CN=SoftwareEngineering,OU=Groups,OU=DIVISION,DC=INTRANET,DC=CORP
member: CN=SteveRogers,OU=Users,OU=DIVISION,DC=INTRANET,DC=CORP
I am trying to get Apache SVN to authorize to the SoftwareEngineering group, but I cannot make it work. Here is my configuration file.
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath On
# Use LDAP auth against an active directory
AuthName "Enter your username and password"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=readonlyuser,OU=Services,OU=DIVISION,DC=INTRANET,DC=CORP"
AuthLDAPBindPassword <password>
AuthLDAPGroupAttributeIsDN on
# ----------------- Authorizes any user
# AuthLDAPURL "ldap://divdc.intranet.corp:389/OU=DIVISION,DC=INTRANET,DC=CORP?sAMAccountName?sub?(ObjectClass=*)"
# Require valid-user
AuthLDAPURL "ldap://divdc.intranet.corp:389/OU=DIVISION,DC=INTRANET,DC=CORP?sAMAccountName"
Require ldap-group CN=SoftwareEngineering,OU=Groups,OU=DIVISION,DC=INTRANET,DC=CORP
</Location>
I try to simulate this with LDAP search and if I cut and paste the URL from the conf file, I get this...
# ldapsearch -x -D cn=readonlyuser,dc=INTRANET,dc=CORP -W -H ldap://divdc.intranet.corp:389/OU=DIVISION,DC=INTRANET,DC=CORP?sAMAccountName
Could not parse LDAP URI(s)=ldap://dlsdc1.spa-elec.corp:389/OU=DLS,DC=SPA-ELEC,DC=CORP?sAMAccountName (3)
I also tried with sAMAccountName=srogers and without the sAMAccountName part at all, with the same result.
Any ideas on what the magical incantation is to make this work? I've been all over and can't seem to get the Require ldap-group working.
OS = Ubuntu 16.04
Apache = 2.4.18
Upvotes: 1
Views: 3619
Answers (1)
Reputation: 117
Require ldap-group does not work with Subversion. Lazy Badger's link has details.
I fixed by installation by deleting the Require ldap-group, uncommenting the Require valid-user line, and fixing the AuthLDAPURL to add the appropriate LDAP filter.
The configuration now looks like this.
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath On
# Use LDAP auth against an active directory
AuthName "Enter your username and password"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=readonlyuser,OU=Services,OU=DIVISION,DC=INTRANET,DC=CORP"
AuthLDAPBindPassword <password>
AuthLDAPGroupAttributeIsDN on
AuthLDAPURL "ldap://divdc.intranet.corp:389/OU=DIVISION,DC=INTRANET,DC=CORP?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=SoftwareEngineering,OU=Groups,OU=DIVISION,DC=INTRANET,DC=CORP))"
Require valid-user
</Location>
This users in the filter group can connect, and users that are not in the filter group are denied.
I will ask how to give someone read-only permission through LDAP in another question.
Upvotes: 2
Related Questions
- How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
- Can't authenticate Subversion user using Apache and LDAP
- Subversion Apache2.2 LDAPS authentication failed
- SVN Path based authorization for AD groups
- SVN path authentication using Windows domain groups
- Apache subversion LDAP group access per folder inside 1 repo
- SVN with LDAP authentication not working
- Subversion with AD Groups with Linux?
- Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication
- Use LDAP for SVN user authentication