[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP configuration for ldap-group authentication on Apache2.x



What does Apache2.x use to authenticate a user that belongs to a group?  My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification.  My priority is the get Subversion to get the authenticated user of a group.

The following works with SVN to authenticate agains a single user:

        <Location /svn>
           DAV svn
           SVNParentPath /var/local/svn/foo.exist-db.org
           SVNAutoversioning on
           SVNListParentPath on
           AuthBasicProvider ldap
           AuthUserFile /dev/null
           AuthType Basic
           AuthName "Subversion Authentication"
           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
           AuthLDAPBindPassword "1234"
           AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
           AuthLDAPCompareDNOnServer off
           Require ldap-user lcahlander
           AuthzLDAPAuthoritative on
        </Location>


When I would like for it to be:

        <Location /svn>
           DAV svn
           SVNParentPath /var/local/svn/foo.exist-db.org
           SVNAutoversioning on
           SVNListParentPath on
           AuthBasicProvider ldap
           AuthUserFile /dev/null
           AuthType Basic
           AuthName "Subversion Authentication"
           # The distinguished name to bind to the directory server
           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"

           # The password for the user above
           AuthLDAPBindPassword "1234"
           AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           AuthLDAPCompareDNOnServer off

           AuthzLDAPAuthoritative on
           AuthBasicAuthoritative on 
           <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
              Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
              Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org
              Satisfy any
           </Limit>
           <Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
              Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org
              Satisfy any
           </Limit>
        </Location>

If I can do this with posixGroup only, then I will make the needed change to the eXist database code.  What I am trying to do is use the most basic standard LDAP schema to get users and groups.

Thank you,

Loren

On Jun 2, 2010, at 07:32 AM, Buchan Milne wrote:

> On Tuesday, 1 June 2010 17:04:59 Loren Cahlander wrote:
> 
>> And need to have groups being both posixGroup and groupOfUniqueNames.
> 
> 
> I would rather use groupOfNames/member than groupOfUniqueNames/uniqueMember 
> ...
> 
>> Far below is my configuration.  If I try loading a group with with following:
>>> dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org
>>> gidNumber: 9999
>>> objectClass: posixGroup
>>> objectClass: groupOfUniqueNames
>>> uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org
>>> cn: my-dba
>> 
>> I get the following error:
>>> ldap_add: Object class violation (65)
>>> 	additional info: invalid structural object class chain
>>> (posixGroup/groupOfUniqueNames)
>> 
>> Does anyone have a suggestion for how to deal with this error?
> 
> Two options:
> 
> 1)Switch to rfc2307bis instead of rfc2307 (nis.schema)
> 
> This may require a bit of work for your ldap clients.
> 
> 2)Add objectclass extensibleObject, and maintain both member and memberUid 
> attributes.
> 
> Regards,
> Buchan