[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP configuration for ldap-group authentication on Apache2.x



Buchan,

That worked for me.  Thanks.  I have another question for the mailing list.

Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags?  I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups.


>      AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
> (objectclass=posixAccount)"
>      Satisfy All
>      AuthzLDAPAuthoritative on
>      AuthLDAPGroupAttributeIsDN off
>      AuthLDAPGroupAttribute memberUid
>      Require ldap-group cn=developers,ou=Group,.....


Thank you,
Loren



On Jun 3, 2010, at 02:20 AM, Buchan Milne wrote:

> On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
>> What does Apache2.x use to authenticate a user that belongs to a group?  My
>> initial requirement for groupOfUniqueNames was that of
>> http://exist-db.org/ldap-security.html#N10149 , but since I am a
>> contributor to the eXist database project, then I can change the code to
>> meet a common specification.  My priority is the get Subversion to get the
>> authenticated user of a group.
>> 
>> The following works with SVN to authenticate agains a single user:
>> 
>>        <Location /svn>
>>           DAV svn
>>           SVNParentPath /var/local/svn/foo.exist-db.org
>>           SVNAutoversioning on
>>           SVNListParentPath on
>>           AuthBasicProvider ldap
>>           AuthUserFile /dev/null
>>           AuthType Basic
>>           AuthName "Subversion Authentication"
>>           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>>           AuthLDAPBindPassword "1234"
>>           AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>>           AuthLDAPCompareDNOnServer off
>>           Require ldap-user lcahlander
>>           AuthzLDAPAuthoritative on
>>        </Location>
>> 
>> 
>> When I would like for it to be:
>> 
>>        <Location /svn>
>>           DAV svn
>>           SVNParentPath /var/local/svn/foo.exist-db.org
>>           SVNAutoversioning on
>>           SVNListParentPath on
>>           AuthBasicProvider ldap
>>           AuthUserFile /dev/null
>>           AuthType Basic
>>           AuthName "Subversion Authentication"
>>           # The distinguished name to bind to the directory server
>>           AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>> 
>>           # The password for the user above
>>           AuthLDAPBindPassword "1234"
>>           AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>>           AuthLDAPGroupAttribute memberUid
>>           AuthLDAPGroupAttributeIsDN off
>>           AuthLDAPCompareDNOnServer off
>> 
>>           AuthzLDAPAuthoritative on
>>           AuthBasicAuthoritative on
>>           <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE
>> PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group
>> cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group
>> cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any
>>           </Limit>
>>           <Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
>>              Require ldap-group
>> cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any
>>           </Limit>
>>        </Location>
> 
> 
> Something like this should work, I have something like this:
> 
>      AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
> (objectclass=posixAccount)"
>      Satisfy All
>      AuthzLDAPAuthoritative on
>      AuthLDAPGroupAttributeIsDN off
>      AuthLDAPGroupAttribute memberUid
>      Require ldap-group cn=developers,ou=Group,.....
> 
> Although the requirement to limiting operations via svn was not that great, 
> and I ran out of time to test that, so I haven't got these inside Limit 
> statements at present ...
> 
> I suggest starting out with a memberUid-based non-Limit config first, and if 
> that works, add the Limits parts in.
> 
> Regards,
> Buchan