[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: locking down access to a repository

From: Patricia A Moss <pmoss4_at_csc.com>
Date: Tue, 9 Nov 2010 15:19:56 -0500

I was trying to go back and answer your very first response and then go
from there. My first reply didn't post to you. I didn't want to skip any
steps.

I don' think that your response had levity, but more so rudeness and
sarcasm.

 I simply wanted to make sure that you saw my first response and that it
answered those first questions. THEN I would have moved on to the next set
of questions.

PATI MOSS
System Engineer Sr. Professional
CSC

From:
opensrcguru <opensrcguru_at_gmail.com>
To:
Patricia A Moss/USA/CSC_at_CSC
Cc:
users_at_subversion.apache.org
Date:
11/09/2010 03:03 PM
Subject:
Re: locking down access to a repository

On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I've tried twice to reply to your first response. I am not sure why it
is not posting.
> I am going to try again.
>
> >First. LDAP (authentication) is only 1/2 of the big picture. You will
> >still need configure authorization on the repo's themselves.
> I have done this already. I have a separate configuration file for each
repository. That looks like this:
> <Location /RepositoryName>
> dav svn
> SVNPath /disk01/home/RepositoryName
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
>
> I have defined the LDAP Aliases in the very first repository
configuration file; as such:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnuser
> AuthLDAPBindPassword xxxxxxxxx
> AuthLDAPURL
>
ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=fcgvuser,OU=Service
Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com"
> AuthLDAPBindPassword xxxxxxxxxxx
> AuthLDAPURL
ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
>
> >Second, Its hard to help troubleshoot when you don't provide useful
> >information or a direct question. Was there something you needed help
> >with? I didnt see any questions other than "Can someone lend a hand in
> >figuring out what I have done wrong, or need to do?"
>
> I think that I have 2 separate issues:
> 1. I need to lock down access so that only the users in the associated
AD group have access to the repository.
> 2. I need to be able to allow just my user account access to the
repositories, without having to be added to all of the AD groups.
>
> Right now;
> All, valid, users can access all repositories, whether they are a member
of the Active Directory group or not.
> When I remove the "Require valid-user" line then no one, including the
members of the Active Directory group, can access the repository.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
> From: opensrcguru <opensrcguru_at_gmail.com>
> To: users_at_subversion.apache.org
> Date: 11/09/2010 02:12 PM
> Subject: Re: locking down access to a repository
> ________________________________
>
>
> On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I appreciate all of the help that I am receiving. I have still not been
successful in resolving this.
>
> I removed the line:
> Require valid-user
>
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
>
> That is the only difference I see in my config files and the examples in
the google hits. Yet I am still not successful in accessing the
repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory
because I am really confused as to how to proceed.
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
> From: kmradke_at_rockwellcollins.com
> To: Patricia A Moss/USA/CSC_at_CSC
> Cc: users_at_subversion.apache.org
> Date: 11/09/2010 11:13 AM
> Subject: Re: locking down access to a repository
>
> ________________________________
>
>
> Patricia A Moss <pmoss4_at_csc.com> wrote on 11/09/2010 09:41:42 AM:
>
> > From: Patricia A Moss <pmoss4_at_csc.com>
> > To: kmradke_at_rockwellcollins.com
> > Cc: users_at_subversion.apache.org
> > Date: 11/09/2010 09:41 AM
> > Subject: Re: locking down access to a repository
> >
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches. (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an
user.)
> >
> > But if I remove that line then no one can access the repository.
>
> I think you also may need to be less specific with your ldapurl (remove
the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>
> AuthLDAPURL
"ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"
> AuthLDAPGroupAttribute member
> Require ldap-group ...
>
> It has been quite awhile since I used ldap groups instead of authz
files...
>
> This first google hit has some examples:
>
>
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication

>
> As does this one:
>
>
http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36

>
> Kevin R.
>
>
> Although this is probably better suited for the apache/mod_ldap list,
I'll attempt to help.
>
> do your domain controllers support unencrypted binds (very dangerous)?
> can you supply any apache/AD debug logs?
> can you supply versions of apache/mod_ldap?
> can you describe anything that is knows to be working?
>
>
> ...this should be pretty straight forward to troubleshoot if you give us
some useful information to work with.
>
> I speak without a full understanding of the lists user base, but I bet
none of them can or ever will be able to read the minds of the end user
with a problem (let alone know how their systems are configured). If there
is such a wonderful beasty, I'd be mighty interested in meeting them.
>
>
>
> /OSG
>

I figured it out. You can't (or refuse) to read. Quit your job and
apply at wal-mart as a greeter.

If by some stroke of faith you decide or learn to read, visit the
following URL's and read the documentation. The developers spend
countless hours writing that stuff to help users understand how to use
the applications they create.

http://httpd.apache.org/docs/trunk/mod/mod_ldap.html
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
http://svnbook.red-bean.com/nightly/en/svn-book.html

Pardon my levity, but I've twice asked for simple pieces of
information to aid in the troubleshooting process and you've refused
to help.

/OSG
Received on 2010-11-09 21:20:42 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.