[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion using apache and ldap

From: Brent Kiley <bkiley_at_gmail.com>
Date: 2007-05-10 22:50:57 CEST

Hi Kyle,

I got it to work, all though, what finally worked does not make sense to me.
I simply set LDAPAuthoritative to no and it works without any problems.

Thanks for the help.


On 5/10/07, Kyle George <kgeorge@tcpsoft.com> wrote:
> On Thu, 10 May 2007, Brent Kiley wrote:
> > Thanks for the response. This may sound like a stupid question, how does
> it
> > know where to obtain the password from? Is it possible that this is my
> > problem? I want it authenticated based on uid so I think my query string
> is
> > alright.
> The LDAP bind parameters are only necessary if you're authenticating
> against a directory server (like MS Active Directory) that doesn't allow
> anonymous queries. I'm not sure if this is your problem, but it might be.
> It depends on how your LDAP server is configured. Where the BindDN and
> BindPassword comes from is you. You should create/use a service user
> (i.e., not a person) account with very very limited permissions for this
> if necessary.
> To see if what the user typed into the browser for their username and
> password is correct, mod_authnz_ldap first searches (search phase) for an
> entry matching the supplied username in the directory. If BindDN and
> BindPassword are given, it uses these to log into the directory for this
> phase. If not, then an anonymous search is tried. If an entry is found,
> it then tries to "bind" (bind phase) using the DN of the entry found
> during the search phase and the supplied password. If this succeeds, then
> the user has been authenticated. [1]
> There is still the authorization phase though, which is where your problem
> could be. Check all your logs again (auth_log, error_log, access_log,
> etc.).
> Also, take all the Limit and other directives out of there and come up
> with the most simple test case you can think of, which probably means
> getting this working first with some textfiles and a temporary directory
> instead of subversion. Also ldapsearch from the command line will help.
> [1] http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#operation
> --
> Kyle George
Received on Thu May 10 22:51:18 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.