RE: Antwort: Subversion 1.5.5 LDAP Authentication

From: Bolstridge, Andrew <andy.bolstridge_at_intergraph.com>
Date: Fri, 30 Jan 2009 08:56:54 -0000

Are you sure that
AuthzLDAPAuthoritative off
is correct - this means that a failure in LDAP authentication will still try alternative login mechanisms, and its possible you're being authenticated against them instead.

AuthLDAPBindDN "CN=Users,dc=orbit,dc=com"
And is this correct? You need a CN to bind to, but "Users" doesn't sound right.

Lastly, I authenticate against the standard ldap port in my search url, not the global catalog. You might want to change the port number.

Andy

-----Original Message-----
From: Mehrdad Sadri [mailto:mehrdad.sadri_at_mscsoftware.com]
Sent: Thursday, January 29, 2009 7:53 PM
To: Robin.Gueldenpfennig_at_enercon.de
Cc: users_at_subversion.tigris.org
Subject: RE: Antwort: Subversion 1.5.5 LDAP Authentication

Hi Robin,

This method is using SSPI, and I set it up the way you asked me to. I put in all the directives in the httpd.conf and I am able to log-in and see the repositories in svn. However, I am not sure if is doing any authentication at all. I commented out the line " # AuthzSVNAccessFile "C:/Apache2.2/conf/svn-authz.conf"" and I am still AVABLE to login. For that matter I think anyone can login. Seems like there is no authorization required even though I have " Require valid-user"?????

Secondly, I am not so much interested in getting the SSPI method to work. I am interested in getting The following method to work with SSL; see below.

<Location /svn/>
  DAV svn
  SVNListParentPath on
  SVNParentPath D:/svnrepos/
  AuthName "Subversion Repository"
  AuthBasicProvider ldap
  AuthType Basic
  AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldapserver.orbit.com:3268/DC=orbit,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=Users,dc=orbit,dc=com"
        AuthLDAPBindPassword ldapasswd

        require valid-user

</Location>

Also, in the attached files you send me you have method described and but in your email you have another.
Which is a preferred method? Which method works?
I have searched all over the documentation for Apache, still not able to get the LDAP work properly.

Any help would be greatly appreciated.

Thanks in advance!

Mehrdad Sadri
MSC.Software Corp.
M:(949)306-7575
W:(714)445-3136

>-----Original Message-----
>From: Robin.Gueldenpfennig_at_enercon.de
>[mailto:Robin.Gueldenpfennig_at_enercon.de]
>Sent: Tuesday, January 27, 2009 11:51 PM
>To: Mehrdad Sadri
>Cc: users_at_subversion.tigris.org
>Subject: Antwort: Subversion 1.5.5 LDAP Authentication
>
>
>Hi!
>
>Please exclude httpd-ssl.conf and put this into your httpd.conf:
>
>Listen 443
>
><Location /SVN_ROOT>
> DAV svn
> SVNParentPath D:\svnrepos\
> SVNListParentPath on
>
> SSLRequireSSL
>
> AuthName "Subversion Repositories"
>
>##Authentication via ENERCON Windows Domain
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain orbit
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth off
> SSPIOfferBasic On
>
>##Authorization file which handles access rights
> AuthzSVNAccessFile conf/svnaccessfile.conf ## in this file you can
>insert the Windows Domain user names and their rights for the
>repositories
>
>
> Require valid-user
></Location>
>
>
>
>##SSL Authentication module
><IfModule ssl_module>
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLSessionCache none
>
>##The following creates an SSL server which speaks only the SSLv3
>protocol and its ciphers
> SSLProtocol -all +SSLv3
> SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+LOW:+EXP </IfModule>
>
>CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\"
>%b"
>CustomLog logs/svn_logfile.log "%t %u %U %{SVN-ACTION}e" env=SVN-ACTION
>
><VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile conf/ssl/sslcert.crt
> SSLCertificateKeyFile conf/ssl/sslkey.key </VirtualHost>
>
>If this works you can modify it for matching your needs...
>
>Mit freundlichen Grüßen
>Robin Güldenpfennig
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Robin Güldenpfennig
>Service IT / SCADA Department
>
>ENERCON Service Center
>Dornumer Straße 20
>26607 Aurich / Germany
>
>mailto:Robin.Gueldenpfennig_at_enercon.de
>http://www.enercon.de
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Diese E-Mail und mögliche Anhänge enthalten vertrauliche Informationen,
>die rechtlich besonders geschützt sein können. Wenn Sie nicht der
>beabsichtigte Empfänger bzw. Adressat dieser E-mail sind und diese
>E-Mail etwa aufgrund eines technischen Fehlers oder eines Versehens
>erhalten haben, informieren Sie uns bitte sofort und löschen Sie
>anschließend die E-Mail. Das unbefugte Kopieren dieser E-Mail, etwaiger
>Anhänge sowie die unbefugte Weitergabe der enthaltenen Informationen an Dritte ist nicht gestattet.
>
>This e-mail message together with its attachments, if any, is
>confidential and may contain information subject to legal privilege (e.g.
>attorney-client-privilege). If you are not the intended recipient or
>have received this e-mail in error, please inform us immediately and
>delete this message. Any unauthorised copying of this message (and
>attachments) or unauthorised distribution of the information contained herein is prohibited.
>
>
>
> Mehrdad Sadri
> <mehrdad.sadri_at_ms
> csoftware.com> An
> users_at_subversion.tigris.org
> 27.01.2009 22:50 Kopie
>
> Thema
> Subversion 1.5.5 LDAP
> Authentication
>
>
>
>
>
>
>
>
>
>
>I have Installed Subversion 1.5.5 and Apache 2.2.11 with OpenSSL. I am
>able to login and access Subversion repositories fine.
>However, I like to change my authentication method now and used our
>Windows
>2003 AD (LDAP) for authentication.
>I have spend several days and googled it, but still not able to get it to work.
>I have tried it with SSL and without, but no luck.
>
>Attached is my httpd.conf and httpd-ssl.conf.
>
>I would appreciate any help.
>
>Regards!
>
>***********************************************************************
>********
>************
>Mehrdad Sadri , Process Consulting -Support, Tel: (714)445-3136, Fax:
>(714)784-4420, Mobile: (949)306-7575
>MSC Software Corporation , 2 MacArthur Place, Santa Ana, CA 92707
>***********************************************************************
>********
>************
> (See attached file: httpd.conf)(See attached file: httpd-ssl.conf)

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1069978

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1073218

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-01-30 15:35:15 CET

This message: [ Message body ]
Next message: Johan Vogelzang: "Can we load a svn 1.5.0 dump into a 1.4.6 svn repository?"
Previous message: B. Boom: "SASL Problem: Could not obtain the list of SASL mechanisms"
In reply to: Mehrdad Sadri: "RE: Antwort: Subversion 1.5.5 LDAP Authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]