Hi Mehrdad,
If you use the SSPI module without any SVNaccessfile everybody who has a
domain account will have full rights on all repositories. So you need an
accessfile to regular the rights.
Using the LDAP directive is a little bit harder to configure. On a Linux
server it could look like this:
<Location /SVN>
DAV svn
SVNParentPath "/var/SVN/"
SVNListParentPath on
Order allow,deny
Allow from all
SSLRequireSSL
SVNIndexXSLT "/svnindex.xsl"
# LDAP Authentication & Authorization is final; do not check other
databases
AuthzLDAPAuthoritative on
# Do basic password authentication in the clear
AuthType Basic
AuthBasicAuthoritative off
AuthBasicProvider ldap
# The name of the protected area or "realm"
AuthName "Subversion Repository"
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the
basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL
"ldap://ldap.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN
"cn=SubversionLDAPUser,ou=users,ou=accounts,dc=domain,dc=com"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword "PASSWORD"
# Authorization file which handles access rights
AuthzSVNAccessFile /etc/Subversion/svnaccessfile.conf
# Require authentication for this Location
Require valid-user
</Location>
Mit freundlichen Grüßen
Robin Güldenpfennig
"Mehrdad Sadri"
<Mehrdad.Sadri_at_ms
csoftware.com> An
<Robin.Gueldenpfennig_at_enercon.de>
29.01.2009 20:53 Kopie
<users_at_subversion.tigris.org>
Thema
RE: Antwort: Subversion 1.5.5
LDAP Authentication
Hi Robin,
This method is using SSPI, and I set it up the way you asked me to. I put
in all the directives in the httpd.conf and I am able to log-in and see the
repositories in svn. However, I am not sure if is doing any authentication
at all. I commented out the line
" # AuthzSVNAccessFile "C:/Apache2.2/conf/svn-authz.conf"" and I am still
AVABLE to login. For that matter I think anyone can login. Seems like there
is no authorization required even though I have " Require valid-user"?????
Secondly, I am not so much interested in getting the SSPI method to work. I
am interested in getting
The following method to work with SSL; see below.
<Location /svn/>
DAV svn
SVNListParentPath on
SVNParentPath D:/svnrepos/
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://ldapserver.orbit.com:3268/DC=orbit,DC=com?sAMAccountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN "CN=Users,dc=orbit,dc=com"
AuthLDAPBindPassword ldapasswd
require valid-user
</Location>
Also, in the attached files you send me you have method described and but
in your email you have another.
Which is a preferred method? Which method works?
I have searched all over the documentation for Apache, still not able to
get the LDAP work properly.
Any help would be greatly appreciated.
Thanks in advance!
Mehrdad Sadri
MSC.Software Corp.
M:(949)306-7575
W:(714)445-3136
>-----Original Message-----
>From: Robin.Gueldenpfennig_at_enercon.de
[mailto:Robin.Gueldenpfennig_at_enercon.de]
>Sent: Tuesday, January 27, 2009 11:51 PM
>To: Mehrdad Sadri
>Cc: users_at_subversion.tigris.org
>Subject: Antwort: Subversion 1.5.5 LDAP Authentication
>
>
>Hi!
>
>Please exclude httpd-ssl.conf and put this into your httpd.conf:
>
>Listen 443
>
><Location /SVN_ROOT>
> DAV svn
> SVNParentPath D:\svnrepos\
> SVNListParentPath on
>
> SSLRequireSSL
>
> AuthName "Subversion Repositories"
>
>##Authentication via ENERCON Windows Domain
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain orbit
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth off
> SSPIOfferBasic On
>
>##Authorization file which handles access rights
> AuthzSVNAccessFile conf/svnaccessfile.conf ## in this file you can
insert the
>Windows Domain user names and their rights for the repositories
>
>
> Require valid-user
></Location>
>
>
>
>##SSL Authentication module
><IfModule ssl_module>
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLSessionCache none
>
>##The following creates an SSL server which speaks only the SSLv3 protocol
and
>its ciphers
> SSLProtocol -all +SSLv3
> SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+LOW:+EXP </IfModule>
>
>CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\"
>%b"
>CustomLog logs/svn_logfile.log "%t %u %U %{SVN-ACTION}e" env=SVN-ACTION
>
><VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile conf/ssl/sslcert.crt
> SSLCertificateKeyFile conf/ssl/sslkey.key </VirtualHost>
>
>If this works you can modify it for matching your needs...
>
>Mit freundlichen Grüßen
>Robin Güldenpfennig
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Robin Güldenpfennig
>Service IT / SCADA Department
>
>ENERCON Service Center
>Dornumer Straße 20
>26607 Aurich / Germany
>
>mailto:Robin.Gueldenpfennig_at_enercon.de
>http://www.enercon.de
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Diese E-Mail und mögliche Anhänge enthalten vertrauliche Informationen,
die
>rechtlich besonders geschützt sein können. Wenn Sie nicht der
beabsichtigte
>Empfänger bzw. Adressat dieser E-mail sind und diese E-Mail etwa aufgrund
eines
>technischen Fehlers oder eines Versehens erhalten haben, informieren Sie
uns
>bitte sofort und löschen Sie anschließend die E-Mail. Das unbefugte
Kopieren
>dieser E-Mail, etwaiger Anhänge sowie die unbefugte Weitergabe der
enthaltenen
>Informationen an Dritte ist nicht gestattet.
>
>This e-mail message together with its attachments, if any, is confidential
and
>may contain information subject to legal privilege (e.g.
>attorney-client-privilege). If you are not the intended recipient or have
>received this e-mail in error, please inform us immediately and delete
this
>message. Any unauthorised copying of this message (and attachments) or
>unauthorised distribution of the information contained herein is
prohibited.
>
>
>
> Mehrdad Sadri
> <mehrdad.sadri_at_ms
> csoftware.com> An
> users_at_subversion.tigris.org
> 27.01.2009 22:50 Kopie
>
> Thema
> Subversion 1.5.5 LDAP
> Authentication
>
>
>
>
>
>
>
>
>
>
>I have Installed Subversion 1.5.5 and Apache 2.2.11 with OpenSSL. I am
able to
>login and access Subversion repositories fine.
>However, I like to change my authentication method now and used our
Windows
>2003 AD (LDAP) for authentication.
>I have spend several days and googled it, but still not able to get it to
work.
>I have tried it with SSL and without, but no luck.
>
>Attached is my httpd.conf and httpd-ssl.conf.
>
>I would appreciate any help.
>
>Regards!
>
>*******************************************************************************
>************
>Mehrdad Sadri , Process Consulting -Support, Tel: (714)445-3136, Fax:
>(714)784-4420, Mobile: (949)306-7575
>MSC Software Corporation , 2 MacArthur Place, Santa Ana, CA 92707
>*******************************************************************************
>************
> (See attached file: httpd.conf)(See attached file: httpd-ssl.conf)
(See attached file: httpd.conf)(See attached file: httpd-ssl.conf)
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1096959
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-02-03 15:33:20 CET