[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP configuration for ldap-group authentication on Apache2.x
What does Apache2.x use to authenticate a user that belongs to a group? My initial requirement for groupOfUniqueNames was that of http://exist-db.org/ldap-security.html#N10149 , but since I am a contributor to the eXist database project, then I can change the code to meet a common specification. My priority is the get Subversion to get the authenticated user of a group.
The following works with SVN to authenticate agains a single user:
<Location /svn>
DAV svn
SVNParentPath /var/local/svn/foo.exist-db.org
SVNAutoversioning on
SVNListParentPath on
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthType Basic
AuthName "Subversion Authentication"
AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
AuthLDAPBindPassword "1234"
AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org"
AuthLDAPCompareDNOnServer off
Require ldap-user lcahlander
AuthzLDAPAuthoritative on
</Location>
When I would like for it to be:
<Location /svn>
DAV svn
SVNParentPath /var/local/svn/foo.exist-db.org
SVNAutoversioning on
SVNListParentPath on
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthType Basic
AuthName "Subversion Authentication"
# The distinguished name to bind to the directory server
AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
# The password for the user above
AuthLDAPBindPassword "1234"
AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPCompareDNOnServer off
AuthzLDAPAuthoritative on
AuthBasicAuthoritative on
<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require ldap-group cn=dba,ou=Groups,dc=exist-db,dc=org
Require ldap-group cn=svn-update,ou=Groups,dc=exist-db,dc=org
Satisfy any
</Limit>
<Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
Require ldap-group cn=svn-readonly,ou=Groups,dc=exist-db,dc=org
Satisfy any
</Limit>
</Location>
If I can do this with posixGroup only, then I will make the needed change to the eXist database code. What I am trying to do is use the most basic standard LDAP schema to get users and groups.
Thank you,
Loren
On Jun 2, 2010, at 07:32 AM, Buchan Milne wrote:
> On Tuesday, 1 June 2010 17:04:59 Loren Cahlander wrote:
>
>> And need to have groups being both posixGroup and groupOfUniqueNames.
>
>
> I would rather use groupOfNames/member than groupOfUniqueNames/uniqueMember
> ...
>
>> Far below is my configuration. If I try loading a group with with following:
>>> dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org
>>> gidNumber: 9999
>>> objectClass: posixGroup
>>> objectClass: groupOfUniqueNames
>>> uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org
>>> cn: my-dba
>>
>> I get the following error:
>>> ldap_add: Object class violation (65)
>>> additional info: invalid structural object class chain
>>> (posixGroup/groupOfUniqueNames)
>>
>> Does anyone have a suggestion for how to deal with this error?
>
> Two options:
>
> 1)Switch to rfc2307bis instead of rfc2307 (nis.schema)
>
> This may require a bit of work for your ldap clients.
>
> 2)Add objectclass extensibleObject, and maintain both member and memberUid
> attributes.
>
> Regards,
> Buchan