[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache httpd 2.4 + Subversion 1.9.5 + LDAP combination does not work on CentOS 7.x

From: Stefan Sperling <stsp_at_elego.de>
Date: Tue, 18 Jul 2017 12:43:09 +0200

On Tue, Jul 18, 2017 at 12:33:32PM +0200, Branko Čibej wrote:
> On 18.07.2017 10:20, Ravi Roy wrote:
> >
> >
> > On Mon, Jul 17, 2017 at 8:03 PM, Ravi Roy <ravi.aroy_at_gmail.com
> > <mailto:ravi.aroy_at_gmail.com>> wrote:
> >
> >
> > You should remove these lines:
> >
> > Satisfy any
> > Order allow,deny
> > Allow from all
> > AuthUserFile /dev/null
> >
> >
> > then add
> >
> > Satisfy all
> >
> >
> > I also suggest you add the HEAD method to the LimitExcept
> > directive.
> >
> >
> >
> > As this does not work and bypassing AuthzSVNAccessFile and gives repo
> > access to all valid users which exsits in LDAP directory. Does
> > somebody know why it is causing this? Thanks
> > Ravi.
>
>
> I have a practically identical configuration (with slightly more complex
> access rules) and it does work for me. I suggest you turn on verbose
> logging in httpd and check the logs to see what's happening.
>
> My config looks like this:

I suspect the use of mod_auth_compat is Roy's problem here.
His config is using a 2.2-style authorization config.

Not upgrading authorization configs to the new 2.4 syntax
can cause surpises.
Read the fine manual at http://httpd.apache.org/docs/2.4/upgrading.html
and live happily ever after :)

>
> RedirectMatch permanent ^(/repos)$ $1/
> <Location /repos/>
> AuthType basic
> AuthName "Subversion"
> AuthBasicProvider ldap
>
> AuthLDAPUrl "ldaps://ldap.example.com/ou=people,dc=example,dc=com?uid"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPBindDN cn=admin,dc=example,dc=com
> AuthLDAPBindPassword "example.com"
>
> <RequireAll>
> Require valid-user
> <Limit HEAD GET OPTIONS PROPFIND REPORT>
> <RequireAny>
> # Read access
> Require ldap-group cn=dev,ou=group,dc=example,dc=com
> Require ldap-group cn=dev.readonly,ou=group,dc=example,dc=com
> </RequireAny>
> </Limit>
> <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
> <RequireAny>
> # Write access
> Require ldap-group cn=dev,ou=group,dc=example,dc=com
> </RequireAny>
> </LimitExcept>
> </RequireAll>
>
> DAV svn
> SVNParentPath /srv/repos
> SVNListParentPath on
> SVNPathAuthz short_circuit
> AuthzSVNAccessFile file:///srv/repos/admin/access.conf
> </Location>
>
>
>
> -- Brane
Received on 2017-07-18 12:43:22 CEST

This is an archived mail posted to the Subversion Users mailing list.