[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "require group" & LDAP Authentication

From: <hkatz_at_iscs-i.com>
Date: 2005-07-13 17:30:18 CEST

Quoting Adam <techy4hire@yahoo.com>:

> Here is my setup (which works):

Adam,

Thanks for the config. I had figured out that I had been foiled by quoting
the spec after the require group and been overridden by specifying the
mod_authz_svn access file as well.

Henry
>
> # We will use OpenLDAP Authentication
> AuthName "T3 Subversion Repositories"
> AuthType Basic
> AuthLDAPAuthoritative on
> AuthLDAPEnabled on
> AuthLDAPGroupAttributeIsDN on
> AuthLDAPGroupAttribute memberUid
> AuthLDAPUrl
> ldap://localhost:389/ou=users,o=COMPANY?uid
>
> # Only system administrators need access here.
> Require group cn=system-admins, ou=groups, o=COMPANY
>
> To give you an idea of what my LDAP directory looks
> like (very simple), here is a group entry:
>
> #################################################################
> # Create the system-admins objectClass: posixGroup
> #################################################################
> dn: cn=system-admins,ou=groups,o=COMPANY
> objectClass: posixGroup
> objectClass: top
> cn: system-admins
> gidNumber: 300
> description: This group will have privs to access
> system config repos.
> memberUid: uid=FIRST.LAST,ou=users,o=COMPANY
>
>
>
> --- hkatz@iscs-i.com wrote:
>
>> Hello,
>> Has anyone successfully gotten the require group
>> directive to work against
>> an LDAP URL using the config file setup under
>> apache2? Something like this:
>>
>> AuthLDAPUrl
>>
> "ldap://mx.foo.com:1389/dc=foo,dc=com?uid?sub?(objectCla
>> ss=*)"
>> AuthLDAPGroupAttributeIsDN On
>> AuthLDAPGroupAttribute member
>> AuthLDAPGroupAttribute uniquemember
>> #Require valid-user
>> Require group "cn=foo Portal
>> AD,ou=Groups,ou=Pr,dc=foo,dc=com"
>>
>> When I try to connect it allows anyone access even
>> those not in the group.
>>
>> Strace on the pid suggests that no group info is
>> sent upon apache2 startup
>> or upon the http request. Any successes out there?
>>
>> Thanks,
>> Henry
>>
>>
>>
> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail:
>> users-help@subversion.tigris.org
>>
>>
>
>
> ===== START SIGNATURE =====
> Kites rise highest against the wind -- not with it.
> -- Winston Churchill
>
> It is better to be hated for what you are than loved for what you are not.
> - Andre Gide
>
> If you always do what you've always done you'll always be where
> you've always been.
> -- Bill Purvis;
> http://www.cascadehills.com/events/sermons.asp
>
> Blog: http://blogs.whyaskwhy.org/deoren/
> ===== END SIGNATURE =====
>
>
>
> ____________________________________________________
> Sell on Yahoo! Auctions – no fees. Bid on great items.
> http://auctions.yahoo.com/
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 13 17:32:22 2005

This is an archived mail posted to the Subversion Users mailing list.