On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I appreciate all of the help that I am receiving. I have still not been
> successful in resolving this.
>
> I removed the line:
> Require valid-user
>
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
>
> That is the only difference I see in my config files and the examples in
> the google hits. Yet I am still not successful in accessing the repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because
> I am really confused as to how to proceed.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
> From: kmradke_at_rockwellcollins.com To: Patricia A Moss/USA/CSC_at_CSC Cc:
> users_at_subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking
> down access to a repository
> ------------------------------
>
>
>
> Patricia A Moss <pmoss4_at_csc.com> wrote on 11/09/2010 09:41:42 AM:
>
> > From: Patricia A Moss <pmoss4_at_csc.com>
> > To: kmradke_at_rockwellcollins.com
> > Cc: users_at_subversion.apache.org
> > Date: 11/09/2010 09:41 AM
> > Subject: Re: locking down access to a repository
> >
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches. (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an user.)
> >
> > But if I remove that line then no one can access the repository.
>
> I think you also may need to be less specific with your ldapurl (remove the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>
> AuthLDAPURL "ldap://
> ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"
> AuthLDAPGroupAttribute member
> Require ldap-group ...
>
> It has been quite awhile since I used ldap groups instead of authz files...
>
> This first google hit has some examples:
> *
> **
> http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
> *<http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication>
>
> As does this one:
> *
> **
> http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36
> *<http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36>
>
> Kevin R.
>
>
Although this is probably better suited for the apache/mod_ldap list, I'll
attempt to help.
do your domain controllers support unencrypted binds (very dangerous)?
can you supply any apache/AD debug logs?
can you supply versions of apache/mod_ldap?
can you describe anything that is knows to be working?
...this should be pretty straight forward to troubleshoot if you give us
some useful information to work with.
I speak without a full understanding of the lists user base, but I bet none
of them can or ever will be able to read the minds of the end user with a
problem (let alone know how their systems are configured). If there is such
a wonderful beasty, I'd be mighty interested in meeting them.
/OSG
Received on 2010-11-09 20:12:53 CET