Hi,
I'm having trouble configuring Apache2 (for Subversion) to authorize against eDirectory. This is part of my Apache configuration:
AuthType Basic
AuthzLDAPAuthoritative On
AuthBasicProvider ldap
AuthLDAPURL "ldaps://LDAPServer/o=SomeOU?cn?sub"
# # require valid user
# Require valid-user
# require group membership
AuthLDAPGroupAttribute member
Require ldap-group cn=Subversion,o=SomeOU
Satisfy All
If I uncomment the line "Require valid-user" any valid eDirectory user can access subversion through Apache2. I want to restrict access to members of "Subversion" group. For some reason this does not work. Here's the log from Apache:
[Fri Aug 24 12:02:15 2012] [info] Initial (No.1) HTTPS request received for child 0 (server svn.xy.com:443)
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(373): [client 195.29.181.132] [1253] auth_ldap authenticate: using URL ldaps://LDAPServer/o=SomeOU?cn?sub
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(454): [client 195.29.181.132] [1253] auth_ldap authenticate: accepting bruno
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(691): [client 195.29.181.132] [1253] auth_ldap authorise: require group: testing for group membership in "cn=Subversion,o=SomeOU"
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(697): [client 195.29.181.132] [1253] auth_ldap authorise: require group: testing for member: cn=bruno,o=SomeOU (cn=Subversion,o=SomeOU)
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(713): [client 195.29.181.132] [1253] auth_ldap authorise: require group "cn=Subversion,o=SomeOU": authorisation failed [Comparison false (adding to cache)][Compare False]
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(826): [client 195.29.181.132] [1253] auth_ldap authorise: authorisation denied
Authentication phase goes well but testing for group membership fails (I double checked - user bruno is member of Subversion group). Can anyone give me some clue, I've ran out of ideas (tried everything I could think of).
Thanks in advance,
Bruno
I'm having trouble configuring Apache2 (for Subversion) to authorize against eDirectory. This is part of my Apache configuration:
AuthType Basic
AuthzLDAPAuthoritative On
AuthBasicProvider ldap
AuthLDAPURL "ldaps://LDAPServer/o=SomeOU?cn?sub"
# # require valid user
# Require valid-user
# require group membership
AuthLDAPGroupAttribute member
Require ldap-group cn=Subversion,o=SomeOU
Satisfy All
If I uncomment the line "Require valid-user" any valid eDirectory user can access subversion through Apache2. I want to restrict access to members of "Subversion" group. For some reason this does not work. Here's the log from Apache:
[Fri Aug 24 12:02:15 2012] [info] Initial (No.1) HTTPS request received for child 0 (server svn.xy.com:443)
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(373): [client 195.29.181.132] [1253] auth_ldap authenticate: using URL ldaps://LDAPServer/o=SomeOU?cn?sub
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(454): [client 195.29.181.132] [1253] auth_ldap authenticate: accepting bruno
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(691): [client 195.29.181.132] [1253] auth_ldap authorise: require group: testing for group membership in "cn=Subversion,o=SomeOU"
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(697): [client 195.29.181.132] [1253] auth_ldap authorise: require group: testing for member: cn=bruno,o=SomeOU (cn=Subversion,o=SomeOU)
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(713): [client 195.29.181.132] [1253] auth_ldap authorise: require group "cn=Subversion,o=SomeOU": authorisation failed [Comparison false (adding to cache)][Compare False]
[Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(826): [client 195.29.181.132] [1253] auth_ldap authorise: authorisation denied
Authentication phase goes well but testing for group membership fails (I double checked - user bruno is member of Subversion group). Can anyone give me some clue, I've ran out of ideas (tried everything I could think of).
Thanks in advance,
Bruno