[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP configuration for ldap-group authentication on Apache2.x



On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
> What does Apache2.x use to authenticate a user that belongs to a group?  My
>  initial requirement for groupOfUniqueNames was that of
>  http://exist-db.org/ldap-security.html#N10149 , but since I am a
>  contributor to the eXist database project, then I can change the code to
>  meet a common specification.  My priority is the get Subversion to get the
>  authenticated user of a group.
> 
> The following works with SVN to authenticate agains a single user:
> 
>         <Location /svn>
>            DAV svn
>            SVNParentPath /var/local/svn/foo.exist-db.org
>            SVNAutoversioning on
>            SVNListParentPath on
>            AuthBasicProvider ldap
>            AuthUserFile /dev/null
>            AuthType Basic
>            AuthName "Subversion Authentication"
>            AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>            AuthLDAPBindPassword "1234"
>            AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>            AuthLDAPCompareDNOnServer off
>            Require ldap-user lcahlander
>            AuthzLDAPAuthoritative on
>         </Location>
> 
> 
> When I would like for it to be:
> 
>         <Location /svn>
>            DAV svn
>            SVNParentPath /var/local/svn/foo.exist-db.org
>            SVNAutoversioning on
>            SVNListParentPath on
>            AuthBasicProvider ldap
>            AuthUserFile /dev/null
>            AuthType Basic
>            AuthName "Subversion Authentication"
>            # The distinguished name to bind to the directory server
>            AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
> 
>            # The password for the user above
>            AuthLDAPBindPassword "1234"
>            AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>            AuthLDAPGroupAttribute memberUid
>            AuthLDAPGroupAttributeIsDN off
>            AuthLDAPCompareDNOnServer off
> 
>            AuthzLDAPAuthoritative on
>            AuthBasicAuthoritative on
>            <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE
>  PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group
>  cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group
>  cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any
>            </Limit>
>            <Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
>               Require ldap-group
>  cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any
>            </Limit>
>         </Location>


Something like this should work, I have something like this:

      AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
(objectclass=posixAccount)"
      Satisfy All
      AuthzLDAPAuthoritative on
      AuthLDAPGroupAttributeIsDN off
      AuthLDAPGroupAttribute memberUid
      Require ldap-group cn=developers,ou=Group,.....

Although the requirement to limiting operations via svn was not that great, 
and I ran out of time to test that, so I haven't got these inside Limit 
statements at present ...

I suggest starting out with a memberUid-based non-Limit config first, and if 
that works, add the Limits parts in.

Regards,
Buchan