I'm unable to get SVN properly configured with Apache 2.2.6 (from the
binary distribution) to connect to an ApacheDS 1.0.2 server via LDAP.
However, I'm fairly confident I've got the settings in my httpd.conf
file correct. Here is the entry with the necessary directives (Note that
the authentication was working fine with file-based authentication
before I replaced it with the LDAP authentication config directives):
<Location /repos>
DAV svn
SVNPath C:/svn-win32-1.4.5/repository
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository"
AuthLDAPURL
"ldap://127.0.0.1/ou=users,ou=system?uid?one?(objectClass=*)"
Require valid-user
</Location>
And this is what it is producing in the log file with Apache set to
DEBUG level logging. Everything looks OK up until the last two lines.
Also note that my AuthLDAPURL is parsed correclty:
[Tue Nov 20 17:29:46 2007] [notice] Parent: Received restart signal --
Restarting the server.
[Tue Nov 20 17:29:46 2007] [debug] util_ldap.c(1701): LDAP: SSL trusted
mode - NONE
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(876): [4716]
auth_ldap url parse:
`ldap://127.0.0.1/ou=users,ou=system?uid?one?(objectClass=*)'
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(885): [4716]
auth_ldap url parse: Host: 127.0.0.1
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(887): [4716]
auth_ldap url parse: Port: 389
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(889): [4716]
auth_ldap url parse: DN: ou=users,ou=system
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(891): [4716]
auth_ldap url parse: attrib: uid
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(893): [4716]
auth_ldap url parse: scope: onelevel
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(898): [4716]
auth_ldap url parse: filter: (objectClass=*)
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(978): LDAP:
auth_ldap not using SSL connections
[Tue Nov 20 17:29:46 2007] [info] APR LDAP: Built with Microsoft
Corporation. LDAP SDK
[Tue Nov 20 17:29:46 2007] [info] LDAP: SSL support unavailable: LDAP:
CA certificates cannot be set using this method, as they are stored in
the registry instead.
[Tue Nov 20 17:29:46 2007] [notice] Apache/2.2.6 (Win32) SVN/1.4.5 DAV/2
configured -- resuming normal operations
[Tue Nov 20 17:29:46 2007] [notice] Server built: Sep 5 2007 08:58:56
[Tue Nov 20 17:29:46 2007] [notice] Parent: Created child process 4672
[Tue Nov 20 17:29:46 2007] [debug] mpm_winnt.c(487): Parent: Sent the
scoreboard to the child
[Tue Nov 20 17:29:46 2007] [debug] util_ldap.c(1701): LDAP: SSL trusted
mode - NONE
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(876): [4672]
auth_ldap url parse:
`ldap://127.0.0.1/ou=users,ou=system?uid?one?(objectClass=*)'
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(885): [4672]
auth_ldap url parse: Host: 127.0.0.1
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(887): [4672]
auth_ldap url parse: Port: 389
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(889): [4672]
auth_ldap url parse: DN: ou=users,ou=system
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(891): [4672]
auth_ldap url parse: attrib: uid
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(893): [4672]
auth_ldap url parse: scope: onelevel
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(898): [4672]
auth_ldap url parse: filter: (objectClass=*)
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(978): LDAP:
auth_ldap not using SSL connections
[Tue Nov 20 17:29:46 2007] [debug] util_ldap.c(1701): LDAP: SSL trusted
mode - NONE
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(876): [4672]
auth_ldap url parse:
`ldap://127.0.0.1/ou=users,ou=system?uid?one?(objectClass=*)'
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(885): [4672]
auth_ldap url parse: Host: 127.0.0.1
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(887): [4672]
auth_ldap url parse: Port: 389
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(889): [4672]
auth_ldap url parse: DN: ou=users,ou=system
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(891): [4672]
auth_ldap url parse: attrib: uid
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(893): [4672]
auth_ldap url parse: scope: onelevel
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(898): [4672]
auth_ldap url parse: filter: (objectClass=*)
[Tue Nov 20 17:29:46 2007] [debug] mod_authnz_ldap.c(978): LDAP:
auth_ldap not using SSL connections
[Tue Nov 20 17:29:46 2007] [info] APR LDAP: Built with Microsoft
Corporation. LDAP SDK
[Tue Nov 20 17:29:46 2007] [info] LDAP: SSL support unavailable: LDAP:
CA certificates cannot be set using this method, as they are stored in
the registry instead.
[Tue Nov 20 17:29:46 2007] [notice] Child 4672: Child process is running
[Tue Nov 20 17:29:46 2007] [info] Parent: Duplicating socket 196 and
sending it to child process 4672
[Tue Nov 20 17:29:46 2007] [debug] mpm_winnt.c(408): Child 4672:
Retrieved our scoreboard from the parent.
[Tue Nov 20 17:29:46 2007] [debug] mpm_winnt.c(605): Parent: Sent 1
listeners to child 4672
[Tue Nov 20 17:29:46 2007] [debug] mpm_winnt.c(564): Child 4672:
retrieved 1 listeners from parent
[Tue Nov 20 17:29:46 2007] [info] Child 5080: Accept thread exiting.
[Tue Nov 20 17:29:47 2007] [notice] Child 5080: Released the start mutex
[Tue Nov 20 17:29:47 2007] [info] Child 5080: 250 threads blocked on the
completion port
[Tue Nov 20 17:29:47 2007] [notice] Child 4672: Acquired the start
mutex.
[Tue Nov 20 17:29:47 2007] [notice] Child 4672: Starting 250 worker
threads.
[Tue Nov 20 17:29:47 2007] [notice] Child 4672: Starting thread to
listen on port 80.
[Tue Nov 20 17:29:48 2007] [notice] Child 5080: Waiting for 250 worker
threads to exit.
[Tue Nov 20 17:29:48 2007] [notice] Child 5080: All worker threads have
exited.
[Tue Nov 20 17:29:48 2007] [notice] Child 5080: Child process is exiting
[Tue Nov 20 17:30:34 2007] [debug] mod_authnz_ldap.c(376): [client
127.0.0.1] [4672] auth_ldap authenticate: using URL
ldap://127.0.0.1/ou=users,ou=system?uid?one?(objectClass=*)
[Tue Nov 20 17:30:34 2007] [warn] [client 127.0.0.1] [4672] auth_ldap
authenticate: user test authentication failed; URI /repos
[ldap_search_ext_s() for user failed][Unavailable]
Also, I've checked that my URL is good. If a break it down into it's
component parts I can enter it into my LDAP browser and it executes
fine. I can do this over an anonymous connections just like Apache would
be using with this configuration.
I've played with many variations of this configuration, including trying
to connect to a different Apache DS server on a different machine and
port, trying to connect with a specific DN using the AuthLDAPBindDN and
AuthLDAPBindPassword directives, trying by explicitely including the
port, excluding the optional filters in the URL, etc., but all to no
avail. The one thing I did where I got it to behave slightly differently
was upon connecting to a different type of directory server. Since
ApacheDS isn't officially supported I thought it might be the issue, and
thus tested connecting to an OpenLDAP implementation by updating the
directive:
AuthLDAPURL
ldap://ldap.openldap.org/ou=People,dc=OpenLDAP,dc=org?uid?sub?(objectCla
ss=*)
Which resulting in the following in the Apache debug log:
[Tue Nov 20 14:45:26 2007] [debug] mod_authnz_ldap.c(376): [client
127.0.0.1] [5080] auth_ldap authenticate: using URL
ldap://ldap.openldap.org/ou=People,dc=OpenLDAP,dc=org?uid?sub?(objectCla
ss=*)
[Tue Nov 20 14:45:26 2007] [warn] [client 127.0.0.1] [5080] auth_ldap
authenticate: user hyc authentication failed; URI /repos
[ldap_search_ext_s() for user failed][Protocol Error]
The only difference here is the error reason is identified as "Protocol
Error", rather than "Unavailable".
I've thoroughly scoured the internet, mailing lists for both SVN and
Apache, the CollabNet SVN blog entry
http://blogs.open.collab.net/svn/2007/03/subversion_ldap.html, etc. The
closest thing I could find to a related issue was this:
http://issues.apache.org/bugzilla/show_bug.cgi?id=43577
However, if this were the problem I would have expected it to be
resolved by connecting to OpenLDAP or by setting the directive
LDAPTrustedMode NONE
, neither of which resolved the issue.
If anyone has any ideas or tips about how to resolve this, please let me
know. Thanks
Ryan C
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]
Received on Wed Nov 21 03:10:11 2007