[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Antwort: Subversion 1.5.5 LDAP Authentication

From: <Robin.Gueldenpfennig_at_enercon.de>
Date: Tue, 3 Feb 2009 15:32:22 +0100

Hi Mehrdad,

If you use the SSPI module without any SVNaccessfile everybody who has a
domain account will have full rights on all repositories. So you need an
accessfile to regular the rights.

Using the LDAP directive is a little bit harder to configure. On a Linux
server it could look like this:

<Location /SVN>
    DAV svn
    SVNParentPath "/var/SVN/"
    SVNListParentPath on
    Order allow,deny
    Allow from all

    SSLRequireSSL

    SVNIndexXSLT "/svnindex.xsl"

    # LDAP Authentication & Authorization is final; do not check other
databases
    AuthzLDAPAuthoritative on

    # Do basic password authentication in the clear
    AuthType Basic
    AuthBasicAuthoritative off
    AuthBasicProvider ldap

    # The name of the protected area or "realm"
    AuthName "Subversion Repository"

    # The LDAP query URL
    # Format: scheme://host:port/basedn?attribute?scope?filter
    # The URL below will search for all objects recursively below the
basedn
    # and validate against the sAMAccountName attribute
    AuthLDAPURL
"ldap://ldap.domain.com:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"

    # Active Directory requires an authenticating DN to access records
    # This is the DN used to bind to the directory service
    # This is an Active Directory user account
    AuthLDAPBindDN
"cn=SubversionLDAPUser,ou=users,ou=accounts,dc=domain,dc=com"

    # This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword "PASSWORD"

    # Authorization file which handles access rights
    AuthzSVNAccessFile /etc/Subversion/svnaccessfile.conf

    # Require authentication for this Location
    Require valid-user

</Location>

Mit freundlichen Grüßen
Robin Güldenpfennig

                                                                       
             "Mehrdad Sadri"
             <Mehrdad.Sadri_at_ms
             csoftware.com> An
                                         <Robin.Gueldenpfennig_at_enercon.de>
             29.01.2009 20:53 Kopie
                                         <users_at_subversion.tigris.org>
                                                                     Thema
                                         RE: Antwort: Subversion 1.5.5
                                         LDAP Authentication
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       

Hi Robin,

This method is using SSPI, and I set it up the way you asked me to. I put
in all the directives in the httpd.conf and I am able to log-in and see the
repositories in svn. However, I am not sure if is doing any authentication
at all. I commented out the line
" # AuthzSVNAccessFile "C:/Apache2.2/conf/svn-authz.conf"" and I am still
AVABLE to login. For that matter I think anyone can login. Seems like there
is no authorization required even though I have " Require valid-user"?????

Secondly, I am not so much interested in getting the SSPI method to work. I
am interested in getting
The following method to work with SSL; see below.

<Location /svn/>
  DAV svn
  SVNListParentPath on
  SVNParentPath D:/svnrepos/
  AuthName "Subversion Repository"
  AuthBasicProvider ldap
  AuthType Basic
  AuthzLDAPAuthoritative off
 AuthLDAPURL
"ldap://ldapserver.orbit.com:3268/DC=orbit,DC=com?sAMAccountName?sub?(objectClass=*)"
 NONE
        AuthLDAPBindDN "CN=Users,dc=orbit,dc=com"
        AuthLDAPBindPassword ldapasswd

        require valid-user

</Location>

Also, in the attached files you send me you have method described and but
in your email you have another.
Which is a preferred method? Which method works?
I have searched all over the documentation for Apache, still not able to
get the LDAP work properly.

Any help would be greatly appreciated.

Thanks in advance!

Mehrdad Sadri
MSC.Software Corp.
M:(949)306-7575
W:(714)445-3136

>-----Original Message-----
>From: Robin.Gueldenpfennig_at_enercon.de
[mailto:Robin.Gueldenpfennig_at_enercon.de]
>Sent: Tuesday, January 27, 2009 11:51 PM
>To: Mehrdad Sadri
>Cc: users_at_subversion.tigris.org
>Subject: Antwort: Subversion 1.5.5 LDAP Authentication
>
>
>Hi!
>
>Please exclude httpd-ssl.conf and put this into your httpd.conf:
>
>Listen 443
>
><Location /SVN_ROOT>
> DAV svn
> SVNParentPath D:\svnrepos\
> SVNListParentPath on
>
> SSLRequireSSL
>
> AuthName "Subversion Repositories"
>
>##Authentication via ENERCON Windows Domain
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain orbit
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth off
> SSPIOfferBasic On
>
>##Authorization file which handles access rights
> AuthzSVNAccessFile conf/svnaccessfile.conf ## in this file you can
insert the
>Windows Domain user names and their rights for the repositories
>
>
> Require valid-user
></Location>
>
>
>
>##SSL Authentication module
><IfModule ssl_module>
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLSessionCache none
>
>##The following creates an SSL server which speaks only the SSLv3 protocol
and
>its ciphers
> SSLProtocol -all +SSLv3
> SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+LOW:+EXP </IfModule>
>
>CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\"
>%b"
>CustomLog logs/svn_logfile.log "%t %u %U %{SVN-ACTION}e" env=SVN-ACTION
>
><VirtualHost *:443>
> SSLEngine On
> SSLCertificateFile conf/ssl/sslcert.crt
> SSLCertificateKeyFile conf/ssl/sslkey.key </VirtualHost>
>
>If this works you can modify it for matching your needs...
>
>Mit freundlichen Grüßen
>Robin Güldenpfennig
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Robin Güldenpfennig
>Service IT / SCADA Department
>
>ENERCON Service Center
>Dornumer Straße 20
>26607 Aurich / Germany
>
>mailto:Robin.Gueldenpfennig_at_enercon.de
>http://www.enercon.de
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Diese E-Mail und mögliche Anhänge enthalten vertrauliche Informationen,
die
>rechtlich besonders geschützt sein können. Wenn Sie nicht der
beabsichtigte
>Empfänger bzw. Adressat dieser E-mail sind und diese E-Mail etwa aufgrund
eines
>technischen Fehlers oder eines Versehens erhalten haben, informieren Sie
uns
>bitte sofort und löschen Sie anschließend die E-Mail. Das unbefugte
Kopieren
>dieser E-Mail, etwaiger Anhänge sowie die unbefugte Weitergabe der
enthaltenen
>Informationen an Dritte ist nicht gestattet.
>
>This e-mail message together with its attachments, if any, is confidential
and
>may contain information subject to legal privilege (e.g.
>attorney-client-privilege). If you are not the intended recipient or have
>received this e-mail in error, please inform us immediately and delete
this
>message. Any unauthorised copying of this message (and attachments) or
>unauthorised distribution of the information contained herein is
prohibited.
>
>
>
> Mehrdad Sadri
> <mehrdad.sadri_at_ms
> csoftware.com> An
> users_at_subversion.tigris.org
> 27.01.2009 22:50 Kopie
>
> Thema
> Subversion 1.5.5 LDAP
> Authentication
>
>
>
>
>
>
>
>
>
>
>I have Installed Subversion 1.5.5 and Apache 2.2.11 with OpenSSL. I am
able to
>login and access Subversion repositories fine.
>However, I like to change my authentication method now and used our
Windows
>2003 AD (LDAP) for authentication.
>I have spend several days and googled it, but still not able to get it to
work.
>I have tried it with SSL and without, but no luck.
>
>Attached is my httpd.conf and httpd-ssl.conf.
>
>I would appreciate any help.
>
>Regards!
>
>*******************************************************************************

>************
>Mehrdad Sadri , Process Consulting -Support, Tel: (714)445-3136, Fax:
>(714)784-4420, Mobile: (949)306-7575
>MSC Software Corporation , 2 MacArthur Place, Santa Ana, CA 92707
>*******************************************************************************

>************
> (See attached file: httpd.conf)(See attached file: httpd-ssl.conf)
(See attached file: httpd.conf)(See attached file: httpd-ssl.conf)

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1096959

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

Received on 2009-02-03 15:33:20 CET

This is an archived mail posted to the Subversion Users mailing list.