On Tue, Nov 09, 2010 at 08:12:44AM -0500, Patricia A Moss wrote:
> I think this is the correct mailing list for this question.
>
> I am LDAP authenticating against 2 domain controllers; in 2 different
> locations.
> I thought that I was locking down each repository to allow only users,
> included in a specific AD group, to have read/write access to a
> repository.
> I say supposedly because apparently the second part is not working. Right
> now, anyone can access any repository. Can someone lend a hand in figuring
> out what I have done wrong, or need to do?
> Here is what I have:
> I've configured my ldap aliases as follows:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnuser
> AuthLDAPBindPassword xxxxxxxxx
> AuthLDAPURL
> ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> (objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=fcgvuser,OU=Service
> Accounts,OU=Users,OU=Production,DC
> =vdc,DC=csc,DC=com"
> AuthLDAPBindPassword xxxxxxxxxxx
> AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> mAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
>
> Then in each, specific repositorry configuration file, I have the
> following:
> <Location /FDCertifications>
> dav svn
> SVNPath /disk01/home/FDCertifications
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=PRJ
> FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
>
> I thought the "Require ldap-group" line locked access down to allow only
> the users in the group access to the repo. That is not the case though.
> Everyone can access any repository; as long as they have an FCGNET
> account.
>
> I tried adding the AuthnProviderAlias lines to each config file, but I get
> an error because it only needs to be defined once.
> I tried removing the "Require valid-user" line; but that then doesn't
> allow any access.
> Have any clues what I am doing wrong? Thanks.
I don't know a lot about apache auth configuration.
But I think you want to configure LDAP auth separately for each repository
location block. Within each block, use an LDAP URL that matches the
specific group which should have access to this repository.
Unfortunately, I cannot provide any example configuration files.
But I've seen a configuration that worked as described above within
a large enterprise just a couple weeks ago. So I know that it should
work, given the right configuration.
Hope this helps, and good luck,
Stefan
Received on 2010-11-09 15:35:23 CET