[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP, auth file and CN

From: Jeremy Whitlock <jcscoobyrs_at_gmail.com>
Date: Tue, 31 Mar 2009 09:56:15 -0600

> Thanks Jeremy, that's the article I used to set Apache and LDAP up. But it doesn't mention anything about what I want to do now.

Actually, it did. When you're creating an AuthLDAPURL, you tell
Apache which user object attribute to use to find a user to
authenticate. In the article, it uses the following url:

ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)

As documented in the "Search for Users" section of the article, the
"sAMAccountName" is being used, which is the login name. If you
wanted to use the Common Name, you'd do the following:

ldap://your.domain:389/DC=your,DC=domain?CN?sub?(objectClass=*)

If I remember correctly, you said "What I would like is to be able to
use any case for my id (even gTroCcOli) if I want, then the LDAP
module returned only the Common Name (Giulio Troccoli)" and in this
case, I do tell you how to allow Apache to authenticate you based on
your Common Name. So instead of Apache having to do something out of
the ordinary, like allow you to login with sAMAccountName but give you
or return the Common Name, you can just authenticate with the Common
Name and Apache will pass that to the Subversion for authz.

If that is not an option, meaning you do want to login with
sAMAccountName instead of the Common Name, you might be out of luck.
Apache authenticates based on the user object attribute you mentioned
in the AuthLDAPUrl. All Apache does is find a user based on the user
object attribute in the AuthLDAPUrl and then verifies the credentials.
 Nothing is "returned" as you say. But...whatever you use to
authenticate for Apache is what Subversion gets to do its authz.

In the end, are you sure you're not complicating things? I mean, I
can see this being an edge case where a user uses the wrong casing for
their credentials but wouldn't it be much simpler to explain things
when this happens instead of altering the tooling to work around a
potential problem that is user-created? I mean, when I'm told my
username is "jwhitlock", I use "jwhitlock", I don't use "Jwhitlock" or
"jWhitlock" or some other permutation. Is that such a hard thing to
relay? 

-- 
Take care,
Jeremy Whitlock
http://www.thoughtspark.org
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1497075
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-03-31 18:02:17 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.