[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP configuration for ldap-group authentication on Apache2.x
Buchan,
That worked for me. Thanks. I have another question for the mailing list.
Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags? I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups.
> AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
> (objectclass=posixAccount)"
> Satisfy All
> AuthzLDAPAuthoritative on
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPGroupAttribute memberUid
> Require ldap-group cn=developers,ou=Group,.....
Thank you,
Loren
On Jun 3, 2010, at 02:20 AM, Buchan Milne wrote:
> On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote:
>> What does Apache2.x use to authenticate a user that belongs to a group? My
>> initial requirement for groupOfUniqueNames was that of
>> http://exist-db.org/ldap-security.html#N10149 , but since I am a
>> contributor to the eXist database project, then I can change the code to
>> meet a common specification. My priority is the get Subversion to get the
>> authenticated user of a group.
>>
>> The following works with SVN to authenticate agains a single user:
>>
>> <Location /svn>
>> DAV svn
>> SVNParentPath /var/local/svn/foo.exist-db.org
>> SVNAutoversioning on
>> SVNListParentPath on
>> AuthBasicProvider ldap
>> AuthUserFile /dev/null
>> AuthType Basic
>> AuthName "Subversion Authentication"
>> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>> AuthLDAPBindPassword "1234"
>> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>> AuthLDAPCompareDNOnServer off
>> Require ldap-user lcahlander
>> AuthzLDAPAuthoritative on
>> </Location>
>>
>>
>> When I would like for it to be:
>>
>> <Location /svn>
>> DAV svn
>> SVNParentPath /var/local/svn/foo.exist-db.org
>> SVNAutoversioning on
>> SVNListParentPath on
>> AuthBasicProvider ldap
>> AuthUserFile /dev/null
>> AuthType Basic
>> AuthName "Subversion Authentication"
>> # The distinguished name to bind to the directory server
>> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org"
>>
>> # The password for the user above
>> AuthLDAPBindPassword "1234"
>> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org";
>> AuthLDAPGroupAttribute memberUid
>> AuthLDAPGroupAttributeIsDN off
>> AuthLDAPCompareDNOnServer off
>>
>> AuthzLDAPAuthoritative on
>> AuthBasicAuthoritative on
>> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE
>> PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group
>> cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group
>> cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any
>> </Limit>
>> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND>
>> Require ldap-group
>> cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any
>> </Limit>
>> </Location>
>
>
> Something like this should work, I have something like this:
>
> AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub?
> (objectclass=posixAccount)"
> Satisfy All
> AuthzLDAPAuthoritative on
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPGroupAttribute memberUid
> Require ldap-group cn=developers,ou=Group,.....
>
> Although the requirement to limiting operations via svn was not that great,
> and I ran out of time to test that, so I haven't got these inside Limit
> statements at present ...
>
> I suggest starting out with a memberUid-based non-Limit config first, and if
> that works, add the Limits parts in.
>
> Regards,
> Buchan