[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP configuration for ldap-group authentication on Apache2.x
On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
> What does Apache2.x use to authenticate a user that belongs to a group? My
> initial requirement for groupOfUniqueNames was that of
> http://exist-db.org/ldap-security.html#N10149 , but since I am a
> contributor to the eXist database project, then I can change the code to
> meet a common specification. My priority is the get Subversion to get the
> authenticated user of a group.
>
> The following works with SVN to authenticate agains a single user:
>
> <Location /svn>
> DAV svn
> SVNParentPath /var/local/svn/foo.exist-db.org
> SVNAutoversioning on
> SVNListParentPath on
> AuthBasicProvider ldap
> AuthUserFile /dev/null
> AuthType Basic
> AuthName "Subversion Authentication"
> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
> AuthLDAPBindPassword "1234"
> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org"
> AuthLDAPCompareDNOnServer off
> Require ldap-user lcahlander
> AuthzLDAPAuthoritative on
> </Location>
>
>
> When I would like for it to be:
>
> <Location /svn>
> DAV svn
> SVNParentPath /var/local/svn/foo.exist-db.org
> SVNAutoversioning on
> SVNListParentPath on
> AuthBasicProvider ldap
> AuthUserFile /dev/null
> AuthType Basic
> AuthName "Subversion Authentication"
> # The distinguished name to bind to the directory server
> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>
> # The password for the user above
> AuthLDAPBindPassword "1234"
> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPCompareDNOnServer off
>
> AuthzLDAPAuthoritative on
> AuthBasicAuthoritative on
> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE
> PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group
> cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group
> cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any
> </Limit>
> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
> Require ldap-group
> cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any
> </Limit>
> </Location>
Something like this should work, I have something like this:
AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
(objectclass=posixAccount)"
Satisfy All
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
Require ldap-group cn=developers,ou=Group,.....
Although the requirement to limiting operations via svn was not that great,
and I ran out of time to test that, so I haven't got these inside Limit
statements at present ...
I suggest starting out with a memberUid-based non-Limit config first, and if
that works, add the Limits parts in.
Regards,
Buchan