[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion using apache and ldap

From: Kyle George <kgeorge_at_tcpsoft.com>
Date: 2007-05-10 22:48:41 CEST

On Thu, 10 May 2007, Brent Kiley wrote:

> Thanks for the response. This may sound like a stupid question, how does it
> know where to obtain the password from? Is it possible that this is my
> problem? I want it authenticated based on uid so I think my query string is
> alright.

The LDAP bind parameters are only necessary if you're authenticating
against a directory server (like MS Active Directory) that doesn't allow
anonymous queries. I'm not sure if this is your problem, but it might be.
It depends on how your LDAP server is configured. Where the BindDN and
BindPassword comes from is you. You should create/use a service user
(i.e., not a person) account with very very limited permissions for this
if necessary.

To see if what the user typed into the browser for their username and
password is correct, mod_authnz_ldap first searches (search phase) for an
entry matching the supplied username in the directory. If BindDN and
BindPassword are given, it uses these to log into the directory for this
phase. If not, then an anonymous search is tried. If an entry is found,
it then tries to "bind" (bind phase) using the DN of the entry found
during the search phase and the supplied password. If this succeeds, then
the user has been authenticated. [1]

There is still the authorization phase though, which is where your problem
could be. Check all your logs again (auth_log, error_log, access_log,
etc.).

Also, take all the Limit and other directives out of there and come up
with the most simple test case you can think of, which probably means
getting this working first with some textfiles and a temporary directory
instead of subversion. Also ldapsearch from the command line will help.

[1] http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#operation

-- 
Kyle George
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu May 10 22:49:01 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.