Announcement

Collapse
No announcement yet.

Migration from LDAP to LDAPS results in 500 Internal Server Error

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Migration from LDAP to LDAPS results in 500 Internal Server Error

    Hi,

    We were using LDAP authentication so far for our on-prem svn server. Now we are supposed to migrate from LDAP to LDAPS authentication. Upon making the appropriate changes in subversion.conf file, any write operation is resulting in 500 Internal Server Error.

    Below is our subversion.conf file configuration, the only diff between the working and the current configuration is highlighted in Bold & Italics.

    # Load Apache LDAP modules
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

    # Load Subversion Apache Modules
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so

    # Work around authz and SVNListParentPath issue
    RedirectMatch ^(/repos)$ $1/

    SVNAllowBulkUpdates Prefer

    # Enable Subversion logging
    ErrorLog /var/log/svn_errorfile.log
    CustomLog /var/log/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION

    LDAPVerifyServerCert off
    LDAPTrustedGlobalCert CERT_BASE64 /opt/ssl/cert.pem


    <IfModule dav_svn_module>
    SVNInMemoryCacheSize 32768
    SVNCacheFullTexts on
    SVNCacheTextDeltas on
    SVNCacheRevProps on
    </IfModule>


    <Location /svnroot>
    # Enable Subversion
    DAV svn

    # Directory containing all repository for this path
    SVNParentPath /usr/local/svnroot

    # List repositories colleciton
    SVNListParentPath On

    # Set authorization (permissions) file
    #AuthzSVNAccessFile /etc/httpd/conf/dav_svn.authz

    # Repository Display Name
    SVNReposName "Software Repository"

    # Do basic password authentication in the clear
    AuthType Basic

    # The name of the protected area or "realm"
    AuthName "SCM SVN Server"

    # Make LDAP the authentication mechanism
    AuthBasicProvider file ldap

    AuthUserFile /etc/httpd/passwd/passwords

    AuthzLDAPAuthoritative off

    # Active Directory requires an authenticating DN to access records
    AuthLDAPBindDN "domain\username"
    # This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword password

    # The LDAP query URL
    #AuthLDAPURL "ldap://domain.com:389/DC=domain,DC=com?sAMAccountName?sub?(objectClass=* )"
    AuthLDAPURL "ldaps://domain.com:636/DC=domain,DC=com?sAMAccountName?sub?(objectClass=* )"

    # Require a valid user
    <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
    </LimitExcept>

    # Authorization file
    AuthzSVNAccessFile /usr/local/svnroot/repos.acl
    </Location>

    No error was seen in error_log or access_log files.
    error_log content:
    [Sun Sep 06 09:20:46 2020] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
    [Sun Sep 06 09:20:46 2020] [notice] mod_python: using mutex_directory /tmp
    [Sun Sep 06 09:20:47 2020] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_auth_pgsql/2.0.3 PHP/5.3.3 mod_python/3.3.1 Python/2.6.6 mod_ssl/2.2.15 OpenSSL/1.0.0-fips SVN/1.8.10 mod_wsgi/3.2 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations

    Any suggestions for fixing the issue is highly appreciated.

  • #2
    SVN is of version 1.8 and running on RHEL6.4 64 bit architecture.

    Comment


    • #3
      Just FWIW, that's an truly ancient OS. I assume you're paying for extended support? Otherwise you're unlikely to get as much benefit from changing to HTTPS as you'd like since the OpenSSL, etc. will need patching.

      Also, since you're using "AuthzSVNAccessFile", I would strongly suggest that you remove the "<LimitExcept>" and "</LimitExcept>" and always "Require valid-user".

      Also, I can't tell from above: is this PRE_FORK or WORKER ? You're best off with PRE_FORK when dealing with Subversion due to memory management issues in-process in Apache. That said, the "SVNInMemoryCacheSize 32768" is scary since that number is in MB and that would mean 32GB for each forked Apache server (so I hope it's worker...).

      Comment


      • #4
        Hi DougR,

        Thanks for your response. Yes, I agree RHEL6.4 is an ancient OS. After removing the "<LimitExcept>" and "</LimitExcept>" and always "Require valid-user" the commit is happening. However, the LDAP/LDAPS authentication is bypassed.


        I've configured Apache Subversion 1.11, HTTPD 2.4.6 on an RHEL7.8 OS and I still get the same 500 internal error using the same above config settings. Any other possibilities to overcome this issue? Our main agenda is to authenticate using LDAPS and we use Active Directory

        Comment


        • #5
          Let me double-check, you did this:

          AuthBasicProvider file ldap
          AuthUserFile /etc/httpd/passwd/passwords
          AuthzLDAPAuthoritative off
          AuthLDAPBindDN "domain\username"
          AuthLDAPBindPassword password
          AuthLDAPURL "ldaps://domain.com:636/DC=domain,DC=com?sAMAccountName?sub?(objectClass=* )"
          Require valid-user
          AuthzSVNAccessFile /usr/local/svnroot/repos.acl
          AuthzForceUsernameCase Lower

          I added that last line since you're using AD. That "Require valid-user" is essential.

          Comment


          • #6
            Hi DoughR,

            Thanks for the update, after adding "Require valid-user" LDAPS authentication is working fine. I tested all the scenarios about the authentication process and was successful in all the cases. Thanks & appreciate your help.

            Comment


            • #7
              Glad that's working now! Cheers!

              Comment

              Working...
              X