Re: Subversion using apache and ldap

On Thu, 10 May 2007, Brent Kiley wrote:

> Thanks for the response. This may sound like a stupid question, how does it
> know where to obtain the password from? Is it possible that this is my
> problem? I want it authenticated based on uid so I think my query string is
> alright.

The LDAP bind parameters are only necessary if you're authenticating
against a directory server (like MS Active Directory) that doesn't allow
anonymous queries. I'm not sure if this is your problem, but it might be.
It depends on how your LDAP server is configured. Where the BindDN and
BindPassword comes from is you. You should create/use a service user
(i.e., not a person) account with very very limited permissions for this
if necessary.

To see if what the user typed into the browser for their username and
password is correct, mod_authnz_ldap first searches (search phase) for an
entry matching the supplied username in the directory. If BindDN and
BindPassword are given, it uses these to log into the directory for this
phase. If not, then an anonymous search is tried. If an entry is found,
it then tries to "bind" (bind phase) using the DN of the entry found
during the search phase and the supplied password. If this succeeds, then
the user has been authenticated. [1]

There is still the authorization phase though, which is where your problem
could be. Check all your logs again (auth_log, error_log, access_log,
etc.).

Also, take all the Limit and other directives out of there and come up
with the most simple test case you can think of, which probably means
getting this working first with some textfiles and a temporary directory
instead of subversion. Also ldapsearch from the command line will help.

[1] http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#operation

-- 
Kyle George
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org