I did have to do a bit of tinkering to get the LDAP authentication to
work properly. I would appreciate it if you could shared what worked
for you, as well. Here's what I came up with that works (aside from
the first commit failing):
<Location /svn>
DAV svn
SVNParentPath "//svrintranet01/RDrive/Subversion"
SVNAutoversioning on
SVNPathAuthz off
# For any operations other than these, require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL
ldap://svr-dc1/CN=Users,DC=mycompany,DC=com?sAMAccountName?sub?(Objectclass=user)
AuthLDAPBindDN "CN=BrowserAccount,OU=Service Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXXXXXXX"
AuthLDAPAuthoritative on
require valid-user
AuthType Basic
AuthName "Subversion Read-only Repository"
</LimitExcept>
</Location>
Thanks,
Brian
On Wed, 16 Mar 2005 23:33:40 -0500, Dominic Anello <danello@danky.com> wrote:
> On 2005-03-16 12:07:47 -0500, Brian Fohl wrote:
> > Thanks for the advice, Dominic. I am loading mod_authz_svn, but I
> > have "SVNPathAuthz off" in my Location tag, so I don't know if that
> > matters. Here's the error I'm getting in the log:
> >
> > [Wed Mar 16 11:46:47 2005] [warn] [client 10.0.0.144] [972] auth_ldap
> > authenticate: user firstname.lastname authentication failed; URI
> > /svn/repo/!svn/act/5fb8bcac-3621-e84f-910d-ed334639c888 [LDAP:
> > ldap_simple_bind_s() failed][Unavailable]
> ----8<----
>
> Well, the man page for ldap_error has this in it:
> LDAP_UNAVAILABLE The DSA is unavailable.
>
> Not exactly helpful. DSA is directory server agent, which I guess is
> is the AD server in this case.
>
> I poked around a little bit and it seems like this error can be related
> to the ldap client being unable to negotiate an authentication protocol
> with the server. Did you compile mod_ldap with SSL enabled? I think I
> read somewhere that by default AD only accepts encrypted requests.
>
> The only other thing I can think of is maybe there is something wrong
> with your AuthLDAP parameters? I can post what worked for me tomorrow
> if you'd like.
>
> Again, don't take any of this as gospel, I just setup my configuration
> using an Apache/AD/LDAP recipe I found online.
>
> --
> I've been told that to get what you want
> You just gotta give what you can.
> But I know for what I want -- it don't come easy as that.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 17 14:52:11 2005