Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
762 views
in Technique[技术] by (71.8m points)

svn - Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)

CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

and the members of the group are in this record like this:

member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

If you look up my record in LDAP, you'll see:

memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

Which reminds me, can anyone recommend a good Apache book?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...