Announcement

Collapse
No announcement yet.

SVN LDAP Authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SVN LDAP Authentication

    Hi there,

    New to this and I am currently migrating my SVN from Windows (1.6.6) to Centos 7 (1.9.7)

    Below is my current subversion configuration on my Centos 7 VM:
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so

    <Location "/svn/test">
    DAV svn
    SVNPath /var/www/svn/test

    AuthType Basic
    AuthName "Subversion repo"

    #AuthUserFile "/etc/httpd/conf.d/svn_auth"
    Require valid-user
    #AuthGroupFile "/etc/httpd/conf.d/svn_acl"

    AuthBasicProvider ldap
    AuthLDAPURL "ldap://192.168.1.1:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectCla ss=*)"
    AuthLDAPBindDN "testuser@mydomain.local"
    AuthLDAPBindPassword "password"
    </Location>
    --------------------------------------------------------------------------------------------------------------------------------------------------------------


    My question is, I am able to login to my repo using an account, but notice the AuthUserFile and AuthGroupFile is commeneted out.
    Where is it getting the Allowed Users from if these to fields are not present?

    Also
    - /etc/httpd/conf.d/svn_acl
    - /etc/httpd/conf.d/svn_auth

    Have been removed from this location. I was reading the default location for Apache authentication is /var/www but there are not files in there that will grant it access to the repo.

    Any comments/suggestions are greatly appreciated.

    Thanks.


    Last edited by cortezj; 10-26-2017, 05:27 PM.

  • #2
    The only "AuthZ" that's being done is "Require valid-user". Yes seems like AuthN - and it is, but once past that without a properly configured AuthZ then all rights granted.

    In terms of Apache configuration, you should be specifying the "AuthzSVNAccessFile" directive in addition, something like:

    AuthzSVNAccessFile /opt/repo/ApacheAuthZ.conf

    Comment


    • #3
      Thanks for the quick reply DougR, really appreciate it.

      When you refer to "AuthZ" , do you mean Authorization?
      And "AuthN" is referring to Authentication?

      And do the extensions also have to be specified? such as the ".conf" at the end in CentOS?
      And does a "service httpd restart" required every time i make a change in subversion.conf?


      So i've added

      AuthUserFile /var/www/access/auth
      AuthzSVNAccessFile /var/www/access/acl

      And still no luck... I've added my LDAP user to thie ACL file and still not able to access the repo
      Last edited by cortezj; 10-26-2017, 06:37 PM.

      Comment


      • #4
        As you guessed:

        AuthN = AutheNtication
        AuthZ = AuthoriZation

        Files in Linux are just files: unless you've got an GUI tool, you need to specify the full name of the file - and that includes any "suffix" that it might have. In general suffices are conventional - NOT required.

        Here's what's in my Apache config file for Subversion:

        <Location /svn>
        DAV svn
        SVNParentPath /opt/repo
        SVNListParentPath On
        AuthType Basic
        AuthBasicProvider ldap
        AuthName "SVN Repo"
        AuthLDAPURL "ldap://192.168.56.222/ou=people,dc=ds,dc=example,dc=com?uid"
        Require valid-user
        AuthzSVNAccessFile /opt/repo/ApacheAuthZ.conf
        </Location>

        Since I'm using LDAP for AuthN there's no need for an AuthUserFile . In point of fact, AuthUserFile is another way to enable AuthN independent of LDAP. If you're going to use both then you need to say:

        AuthBasicProvider ldap file

        But if you're using LDAP then why? Also the format of the AuthUserFile is such that passwords to all accounts are trivially available to anyone with access to the file. So definitely not recommended unless you harden your server.

        As for AuthGroupFile - not unless you're using AuthUserFile.

        In general, the AuthZ file required for "AuthzSVNAccessFile" requires a very specific format to work. What does yours look like?

        Comment


        • #5
          From my understanding I require LDAP to AuthN users in my AuthZ file correct?

          In my AuthZ file I have a much larger version of this config:

          [groups]

          read = read-only
          allowed = testuser


          #
          # Access to the test repository
          #
          [test:/]
          @architecture = rw
          * = r


          Also, how does SVN AuthN to the LDAP server without:
          AuthLDAPBindDN
          AuthLDAPBindPassword

          Comment


          • #6
            The Account Names used in the AuthZ file must match the LDAP Account Names exactly. I assume you meant to say "@allowed = rw" (not @architecture). FWIW, the "test" part of "[test:/]" must match everything after the "/svn". So if you've got repositories below directories then those directories need to be there too.

            The AuthLDAPBindDN and AuthLDAPBindPassword are not used for AuthN (where the Account's own credentials - account name and password are used in the bind). The AuthLDAPBindDN and AuthLDAPBindPassword are used when other LDAP operations are needed - for example for configurations using LDAP groups.

            Comment


            • #7
              Yes correct, not @architecture lol

              Also when you said:

              [B][I]"the "test" part of "[test:/]" must match everything after the "/svn""[/I][/B]

              And in my subversion config i have:

              [B]<Location "/svn/test">[/B]

              So it would be correct for me to have [test:/] then correct?

              And I have the same configuration as the one you posted above, and its still not working.
              Maybe my OU is incorrect?

              Because now without

              AuthLDAPURL "ldap://192.168.1.1:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
              AuthLDAPBindDN "test@mydomain.local"
              AuthLDAPBindPassword "password"

              none of the LDAP users cannot login in.

              Comment


              • #8
                You'll note that my config has specified "SVNParentPath /path/to/directory/inwhich/repo/resides" (so, in my case the parent directory is "/opt/repo" and my "test" repo is "/opt/repo/test"). By using SVNParentPath I can add new repositories without having to edit the Apache config file - I just have to update the AuthZ file.

                By specifying "SVNPath" you don't get that nicety. And your AuthZ file should NOT have the "test:" portion - just the [/] (assuming no sub-repository path access rules). And you'll have to have a different <Location> block for each repository you want to add. PITA, IMO.

                As for the AuthLDAPURL, that's always fun to work out. For my slapd-based LDAP I don't need either of the Bind rules. What you see above is EXACTLY what I have on one of my test VMs and it works just fine.

                Which error are you getting when trying to checkout the repo? Is it AuthN or AuthZ? Read the message carefully.

                Comment


                • #9
                  Correct me if I am wrong, the log files are stored in /var/log/httpd correct?
                  There are 2 access logs named:
                  access_log
                  access_log-20171030

                  within the access_log file i get this
                  [IP ADDRESS] - "TestUser" [31/Oct/2017:11:47:10 -0400] "GET /svn/test/ HTTP/1.1" 200 316 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
                  [IP ADDRESS] - "TestUser" [31/Oct/2017:11:50:36 -0400] "GET /svn/test/ HTTP/1.1" 500 527 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

                  within the error_log file i also get this message:
                  [auth_basic:error] [pid 5455] [client 192.168.1.1:63252] AH01618: user TestUser not found: /svn/test/
                  [auth_basic:error] [pid 4547] [client 192.168.1.1:63252] AH01617: user TestUser: authentication failure for "/svn/test/": Password Mismatch


                  Weird thing is when i have this enabled within the config file it authenticates through LDAP but just doesnt take the ACL for some reason.

                  AuthBasicProvider ldap
                  AuthLDAPURL "ldap://192.168.1.1:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectCla ss=*)"
                  AuthLDAPBindDN "testuser@mydomain.local"
                  AuthLDAPBindPassword "password"
                  Require ldap-attribute objectClass=user


                  With this configuration I am able to login with a specific user, but unable to login with a user that hasn't had access to a SVN Repo (which i obviously added to the ACL file)

                  What am i missing for it to take the users Autherized within the AuthzSVNAccessFile?
                  Last edited by cortezj; 10-31-2017, 05:35 PM.

                  Comment


                  • #10
                    0. Yes, in most Apache setups the logs are in the /var/log/httpd directory.
                    1. Don't use either AuthLDAPBindDN or AuthLDAPBindPassword - Apache isn't searching LDAP, it's only using LDAP for AuthN and that doesn't use either of these.
                    2. Don't use "Require ldap-attribute objectClass=user" (automation accounts will be banned)
                    3. I assume that the "(objectCla ss=*)" is a typo (it should not have a space in it).
                    4. The date-stamped access_log-20171030 is a historical/rotated file. The active ones are just "*_log".
                    5. The error_log entry shows a mixed case name (TestUser). Given that you're running Windows you may find that it's normal to just type mixed case and have it work. Apache and SVN are from the Linux world and, while they enable Windows use, they do not support a "case insensitive" - at least for AuthZ. To get around this you need to force the account name to lowercase by using the "AuthzForceUsernameCase Lower" directive.
                    6. Given that in step 5 we have lowercased the account names before doing the AuthZ step, then all accounts in the AuthzSVNAccessFile must be lowercase.

                    Comment


                    • #11
                      hmm.. Okay i re-configured it to this:


                      LoadModule ldap_module modules/mod_ldap.so
                      LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
                      LoadModule dav_svn_module modules/mod_dav_svn.so
                      LoadModule authz_svn_module modules/mod_authz_svn.so


                      <Location /svn/test>
                      DAV svn
                      SVNParentPath /var/www/svn/test
                      SVNListParentPath On
                      AuthType Basic
                      AuthName "MyTest Repository"
                      AuthUserFile /var/www/svn_access/auth
                      AuthzSVNAccessFile /var/www/svn_access/acl
                      AuthBasicProvider ldap
                      AuthLDAPURL "ldap://192.168.1.1:3289/DC=mydomain,DC=local?uid?"
                      Require valid-user
                      </Location>

                      Still no luck. When I try to login I get a Internal Server Error
                      The user I am trying to Authenticate with has the identical name as to the one in the acl file.

                      Comment


                      • #12
                        What entries did you see in the "error_log" and "access_log" files?

                        Note: The "SVNParentPath" value should be the directory/folder ABOVE your repository. If your repository is located at "/var/www/svn/test" then it should look like:[INDENT]
                        SVNParentPath /var/www/svn[/INDENT]

                        Note: You should not be using an "AuthUserFile" since you're using LDAP via "AuthBasicProvider ldap".

                        Comment


                        • #13
                          access_log
                          192.168.2.1 - user [01/Nov/2017:15:20:53 -0400] "GET /test/ HTTP/1.1" 500 527 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

                          error_log
                          [Wed Nov 01 14:58:41.349491 2017] [mpm_prefork:notice] [pid 6468] AH00170: caught SIGWINCH, shutting down gracefully
                          [Wed Nov 01 14:58:42.407233 2017] [suexec:notice] [pid 6594] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
                          [Wed Nov 01 14:58:42.428805 2017] [so:warn] [pid 6594] AH01574: module ldap_module is already loaded, skipping
                          [Wed Nov 01 14:58:42.428823 2017] [so:warn] [pid 6594] AH01574: module authnz_ldap_module is already loaded, skipping
                          [Wed Nov 01 14:58:42.435423 2017] [auth_digest:notice] [pid 6594] AH01757: generating secret for digest authentication ...
                          [Wed Nov 01 14:58:42.435987 2017] [lbmethod_heartbeat:notice] [pid 6594] AH02282: No slotmem from mod_heartmonitor
                          [Wed Nov 01 14:58:42.439374 2017] [mpm_prefork:notice] [pid 6594] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips SVN/1.9.7 configured -- resuming normal operations
                          [Wed Nov 01 14:58:42.439397 2017] [core:notice] [pid 6594] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

                          subversion.conf

                          <Location /test>
                          DAV svn
                          SVNParentPath /var/www/svn/test
                          SVNListParentPath On
                          AuthType Basic
                          AuthName "Test Repository"
                          AuthSVNAccessFile /var/www/svn_access/acl
                          AuthBasicProvider ldap
                          AuthLDAPURL "ldap://192.168.1.1:3289/DC=mydomain,DC=local?uid?"
                          Require valid-user
                          </Location>

                          When I try to login to the repo via web browser I am prompted to put in my username and password, and instantly get redirected to:

                          Internal Server Error

                          The server encountered an internal error or misconfiguration and was unable to complete your request.

                          Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

                          More information about this error may be available in the server error log.

                          Comment


                          • #14
                            For what it's worth, the 500 (Internal server error) is simply a "big question mark". Sadly, it is intentionally not helping you - in case you were attacking.

                            What is the path to your repository?

                            Comment


                            • #15
                              My repo path where the db, hook folder etc are stored is:
                              /var/www/svn/test

                              yeah i I figured that was a generic error. I turned log debug on and it was saying the uri for ldap authentication “server not found” or something like that.

                              ill paste the exact error when I get a chance.

                              Comment

                              Working...
                              X