[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: ldap authentication in subversion

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Fri, 24 Apr 2009 17:26:27 +0200

Well, since you specified the AuthLDAPURL as "ldap://sppufls01.exfo.com:389/...", your Apache (or more specifically the mod_authnz_ldap module) will have to make connections to this url. This means that, yes, your LDAP server must be accessible from the Apache (SVN) server through port 389.

To troubleshoot this, try executing a "telnet sppufls01.exfo.com 389" on the command line of your Apache (SVN) server. If the connection is refused, you know you've got a network problem to solve first (either make the LDAP server listen on that port, or check any firewalls that are in between the svn server and the LDAP server).


Van: Irfan Sayed [mailto:irfu.sayed_at_gmail.com]
Verzonden: vrijdag 24 april 2009 17:17
Aan: Johan Corveleyn; webpost_at_tigris.org; users_at_subversion.tigris.org
Onderwerp: Re: Re: ldap authentication in subversion

Hi All,
Thanks for helping me.
Here is the update

first of all i dont have any directory as /usr/local/apache2. everything is present in /etc/httpd

after doing some search for any latest patches for apache , yum utility installed apr-util-ldap module.

after installation when i tried again to see whether it is working or not then it throws me an error like "internal server error"

now in the error log i am getting some error like "unable to connect LDAP server"

is it neccessary that port 389 should be opened ??

I have attached error log . please have a look
please please advice

On Fri, Apr 24, 2009 at 6:38 PM, Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be<mailto:johan.corveleyn_at_uz.kuleuven.ac.be>> wrote:
We had exactly the same problem (on Solaris 10 though): segfaults from the child processes of apache when it tries to authenticate via LDAP.

The reason was that we had our Apache installed in a different location than the standard one (which is /usr/local/apache2). Could that be the case with your installation? Where does your Apache reside?

After some truss'ing we found that it failed when trying to access /usr/local/apache2/lib/apr-util-1/apr_ldap.so, which obviously didn't exist in our case. So, although the Solaris package we used to install Apache supported specifying a custom installation directory, the installation was not exactly correct (some paths were hardcoded/compiled/linked/... to be in /usr/local/apache2).

As a workaround we made a symlink from /usr/local/apache2/lib/apr-util-1 to <location of apach2 lib>/apr-util-1. That solved the problem.


-----Oorspronkelijk bericht-----
Van: Carlos Beppler [mailto:beppler_at_gmail.com<mailto:beppler_at_gmail.com>]
Verzonden: vrijdag 24 april 2009 14:55
Aan: Irfan Sayed
CC: webpost_at_tigris.org<mailto:webpost_at_tigris.org>; users_at_subversion.tigris.org<mailto:users_at_subversion.tigris.org>
Onderwerp: Re: Re: ldap authentication in subversion

It appears that your LDAP module is causing segmentation faults on the
child process.

I do not have experience with Fedora (we use Debian here).

You are loading the mod_authnz_ldap. Are you loading the mod_ldap too?
Look for this entries on your configuration files.

LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so

LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

[Fri Apr 24 11:00:12 2009] [debug] mod_authnz_ldap.c(377): [client] [12733] auth_ldap authenticate: using URL
[Fri Apr 24 11:00:13 2009] [notice] child pid 12733 exit signal
Segmentation fault (11)

On Fri, Apr 24, 2009 at 09:41, Irfan Sayed <irfu.sayed_at_gmail.com<mailto:irfu.sayed_at_gmail.com>> wrote:
> Hi,
> Apache is running on Fedora 10 (Linux).
> I have attached error.log for your reference.
> Please please advice/help
> Regards
> Irf
> On 4/24/09, Carlos Alberto Costa Beppler <beppler_at_gmail.com<mailto:beppler_at_gmail.com>> wrote:
>> If you are using Windows 2000 or later the port 389 is probably already
>> open.
>> Is this apache on Windows or Linux? Can you send the contents of the
>> error log file from Apache?
>> On Fri, Apr 24, 2009 at 09:10, Irfan Sayed <irfu.sayed_at_gmail.com<mailto:irfu.sayed_at_gmail.com>> wrote:
>>> Sorry.
>>> Here is the updated one.
>>> <Location "/svn">
>>> DAV svn
>>> SVNParentPath /usr/local/svn
>>> SVNListParentPath On
>>> SVNAutoversioning On
>>> AuthBasicProvider ldap
>>> AuthType Basic
>>> AuthzLDAPAuthoritative off
>>> AuthName "My "
>>> "ldap://sppufls01.exfo.com:389/DC=exfo.com?sAMAccountName?sub?(objectClass=*)<http://sppufls01.exfo.com:389/DC=exfo.com?sAMAccountName?sub?%28objectClass=*%29>"
>>> AuthLDAPBindDN "CN=irfsay1,CN=Users,DC=exfo.com<http://exfo.com>"
>>> AuthLDAPBindPassword jaba_1234
>>> AuthzSVNAccessFile /etc/subversion/acl
>>> # require ldap-group CN=irfsay1,CN=Users,DC=exfo.com<http://exfo.com>
>>> require valid-user
>>> </Location>
>>> Still it is not working. i think the problem is that 389 port might
>>> not be opened on the windows domain controller. Is it neccessary that
>>> it should be opened??
>>> Please advice
>>> Regards
>>> Irf
>>> On 4/24/09, webpost_at_tigris.org<mailto:webpost_at_tigris.org> <webpost_at_tigris.org<mailto:webpost_at_tigris.org>> wrote:
>>>> Apparently from what you write here, you have two AuthLDAPBindDN
>>>> directives
>>>> in your httpd.conf.
>>>> ------------------------------------------------------
>>>> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1890469
>>>> To unsubscribe from this discussion, e-mail:
>>>> [users-unsubscribe_at_subversion.tigris.org<mailto:users-unsubscribe_at_subversion.tigris.org>].
>>> ------------------------------------------------------
>>> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1891212
>>> To unsubscribe from this discussion, e-mail:
>>> [users-unsubscribe_at_subversion.tigris.org<mailto:users-unsubscribe_at_subversion.tigris.org>].


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org<mailto:users-unsubscribe_at_subversion.tigris.org>].


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-04-24 17:28:01 CEST

This is an archived mail posted to the Subversion Users mailing list.