[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP

From: Christian Neumair <chris_at_gnome-de.org>
Date: 2006-09-11 23:22:56 CEST

Am Montag, den 11.09.2006, 10:31 -0400 schrieb Snay, Marc:
> Hi,
>
>
>
> I am a new subscriber to the mailing list, so please forgive me if
> this has been solved before…
>
>
>
> I am trying to configure my Subversion 1.3 running on Ubuntu 6.06 to
> use LDAP authentication. I have found a couple of sites through
> Google that offer how-to’s on this, but none of them have solved my
> problem yet. I have also run my configuration and resulting error
> message through our ‘LDAP gurus’ and all I get back is ‘sorry, I don’t
> know anything about Subversion’ or ‘sorry, I don’t know anything about
> DAV’.
>
>
>
> The error message I get is:
>
>
>
> [Mon Aug 21 15:08:41 2006] [warn] [client xxx.xxx.xxx.xxx] [18875]
> auth_ldap authenticate: user xxx authentication failed; URI /svn/!
> svn/act/4630029f-3bd4-b14f-9fe5-4bb880f9ebdf [LDAP:
> ldap_simple_bind_s() failed][Invalid credentials]
>
>
>
> Here is a snippet of my apache2 conf file that deals with setting up
> the /Location
>
>
>
> <Location /svn>
>
> DAV svn
>
> SVNPath /repository
>
> AuthType Basic
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> order allow,deny
>
> allow from all
>
> AuthName "SVN Repository"
>
> AuthLDAPURL "ldap://servername.company.com:389/"
>
> AuthLDAPBindDN
> "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"
>
> AuthLDAPBindPassword "xxxxx"
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>
> Require valid-user
>
> </LimitExcept>
>
> </Location>
>
>
>
> My problem might be specific to my company in the CN and DC names, but
> I’ve run those be multiple people internally and they feel that all of
> that information is correct. Based on the ldap_simple_bind_s() error
> message, I’m not even sure it’s getting to that point before failing.

First of all, maybe you should add a

 Satisfy all

directive to ensure that nobody is granted access by the "access all"
directive without checking for the valid user auth.

Also ensure that the specified bind dn is really valid.
Your error message seems to be quite unambiguous, so the specified DN
does not exist. You may want to replace

  "CN=authorized_user_name,CN=Users,DC=company_name,DC=com"

by

  "cn=authorized_user_name,ou=Users,dc=company_name,dc=com".

I've never checked back whether the "subkeys" are case-sensitive, the
"cn"=>"ou" change is probably the key point.

BTW: Assuming that you use simple auth, you can check the validity of
DNs using a dummy query like

  ldapsearch -x -D \
    "CN=authorized_user_name,CN=Users,DC=company_name,DC=com" -W

If you are in a replicated LDAP environment, a -h argument might also be
required.

Note that I've listed various pitfalls, while I strongly suppose the
"ou" issue is relevant here, but this email might serve as a good
reference for LDAP/SVN/Apache issues for mailing list archives.

-- 
Christian Neumair <chris@gnome-de.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Sep 11 23:24:42 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.