[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: locking down access to a repository

From: opensrcguru <opensrcguru_at_gmail.com>
Date: Tue, 9 Nov 2010 14:03:32 -0600

On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I've tried twice to reply to your first response.  I am not sure why it is not posting.
> I am going to try again.
>
> >First. LDAP (authentication) is only 1/2 of the big picture. You will
> >still need configure authorization on the repo's themselves.
> I have done this already.  I have a separate configuration file for each repository.  That looks like this:
> <Location /RepositoryName>
> dav svn
> SVNPath /disk01/home/RepositoryName
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
>
> I have defined the LDAP Aliases in the very first repository configuration file; as such:
> <AuthnProviderAlias ldap ldap-FCGNET>
>         AuthLDAPBindDN FCGNET\svnuser
>         AuthLDAPBindPassword xxxxxxxxx
>         AuthLDAPURL
> ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
>         AuthLDAPBindDN "CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com"
>         AuthLDAPBindPassword xxxxxxxxxxx
>         AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
>
> >Second, Its hard to help troubleshoot when you don't provide useful
> >information or a direct question. Was there  something you needed help
> >with? I didnt see any questions other than "Can someone lend a hand in
> >figuring out what I have done wrong, or need to do?"
>
> I think that I have 2 separate issues:
> 1. I need to lock down access so that only the users in the associated AD group have access to the repository.
> 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups.
>
> Right now;
> All, valid, users can access all repositories, whether they are a member of the Active Directory group or not.
> When I remove the "Require valid-user" line then no one, including the members of the Active Directory group, can access the repository.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
> From: opensrcguru <opensrcguru_at_gmail.com>
> To: users_at_subversion.apache.org
> Date: 11/09/2010 02:12 PM
> Subject: Re: locking down access to a repository
> ________________________________
>
>
> On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I appreciate all of the help that I am receiving. I have still not been successful in resolving this.
>
> I removed the line:
> Require valid-user
>
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
>
> That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
> From: kmradke_at_rockwellcollins.com
> To: Patricia A Moss/USA/CSC_at_CSC
> Cc: users_at_subversion.apache.org
> Date: 11/09/2010 11:13 AM
> Subject: Re: locking down access to a repository
>
> ________________________________
>
>
> Patricia A Moss <pmoss4_at_csc.com> wrote on 11/09/2010 09:41:42 AM:
>
> > From: Patricia A Moss <pmoss4_at_csc.com>
> > To: kmradke_at_rockwellcollins.com
> > Cc: users_at_subversion.apache.org
> > Date: 11/09/2010 09:41 AM
> > Subject: Re: locking down access to a repository
> >
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches.  (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an user.)
> >
> > But if I remove that line then no one can access the repository.
>
> I think you also may need to be less specific with your ldapurl (remove the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>
>  AuthLDAPURL "ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"
>  AuthLDAPGroupAttribute member
>  Require ldap-group ...
>
> It has been quite awhile since I used ldap groups instead of authz files...
>
> This first google hit has some examples:
>
> http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
>
> As does this one:
>
> http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36
>
> Kevin R.
>
>
> Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help.
>
> do your domain controllers support unencrypted binds (very dangerous)?
> can you supply any apache/AD debug logs?
> can you supply versions of apache/mod_ldap?
> can you describe anything that is knows to be working?
>
>
> ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with.
>
> I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know how their systems are configured). If there is such a wonderful beasty, I'd be mighty interested in meeting them.
>
>
>
> /OSG
>

I figured it out. You can't (or refuse) to read. Quit your job and
apply at wal-mart as a greeter.

If by some stroke of faith you decide or learn to read, visit the
following URL's and read the documentation. The developers spend
countless hours writing that stuff to help users understand how to use
the applications they create.

http://httpd.apache.org/docs/trunk/mod/mod_ldap.html
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
http://svnbook.red-bean.com/nightly/en/svn-book.html

Pardon my levity, but I've twice asked for simple pieces of
information to aid in the troubleshooting process and you've refused
to help.

/OSG
Received on 2010-11-09 21:05:07 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.