Announcement

Collapse
No announcement yet.

SVN LDAP Authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Since your repository folder is "/var/www/svn/test" then:

    <Location /svn> (NOTE: Not "/test")
    SVNParentPath /var/www/svn (NOTE: No "/test")

    When you go to access the repository via a URL (either browser or svn client):

    [url]http://hostName:port/svn/test[/url] (NOTE: here is where you put the "/test", preceded by the Location ("/svn").

    Comment


    • #17
      Alright so I made the following changes:

      <Location /svn>
      DAV svn
      SVNParentPath /var/www/svn
      SVNListParentPath On
      AuthType Basic
      AuthName "MyTest Repository"
      AuthzSVNAccessFile /var/www/svn_access/acl
      AuthBasicProvider ldap
      AuthLDAPURL "ldap://192.168.1.1:3289/DC=mydomain,DC=local?uid?"
      Require valid-user
      </Location>


      Here is the error_log output:

      [Thu Nov 02 15:43:20.945672 2017] [authz_svn:debug] [pid 5338] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.2.1:60980] Path to authz file is /var/www/svn_access/acl
      [Thu Nov 02 15:43:20.948214 2017] [authz_svn:info] [pid 5338] [client 192.168.2.1:60980] Access granted: - GET test:/
      [Thu Nov 02 15:43:20.948231 2017] [authz_core:debug] [pid 5338] mod_authz_core.c(809): [client 192.168.2.1:60980] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
      [Thu Nov 02 15:43:20.948235 2017] [authz_core:debug] [pid 5338] mod_authz_core.c(809): [client 192.168.2.1:60980] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
      [Thu Nov 02 15:43:21.825615 2017] [proxy:debug] [pid 5352] proxy_util.c(1843): AH00925: initializing worker proxy:reverse shared
      [Thu Nov 02 15:43:21.825649 2017] [proxy:debug] [pid 5352] proxy_util.c(1885): AH00927: initializing worker proxy:reverse local
      [Thu Nov 02 15:43:21.825677 2017] [proxy:debug] [pid 5352] proxy_util.c(1936): AH00931: initialized single connection worker in child 5352 for (*)


      [Thu Nov 02 15:43:27.539959 2017] [authz_core:debug] [pid 5339] mod_authz_core.c(809): [client 192.168.2.1:60983] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
      [Thu Nov 02 15:43:27.539998 2017] [authz_core:debug] [pid 5339] mod_authz_core.c(809): [client 192.168.2.1:60983] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
      [Thu Nov 02 15:43:27.540040 2017] [authnz_ldap:debug] [pid 5339] mod_authnz_ldap.c(501): [client 192.168.2.1:60983] AH01691: auth_ldap authenticate: using URL ldap://192.168.1.1:3289/DC=mydomain,DC=local?uid?
      [Thu Nov 02 15:43:27.540342 2017] [ldap:debug] [pid 5339] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
      [Thu Nov 02 15:43:27.542103 2017] [authnz_ldap:info] [pid 5339] [client 192.168.2.1:60983] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /svn/test/ [ldap_search_ext_s() for user failed][Operations error]

      Comment


      • #18
        My apologies: I misspoke before.

        If your LDAP authority requires a login to search, and given that last line in the log it looks like it, please add back in the AuthLDAPBindDN and AuthLDAPBindPassword directives. However, you should should use credentials meant specifically for browsing (read-only) the LDAP authority.

        The rest of your config looks good.

        Comment


        • #19
          heres the new error_log

          [Thu Nov 02 19:14:42.839644 2017] [authnz_ldap:info] [pid 14966] [client 192.168.2.1:62671] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /svn/test/ [User not found][No such object]
          [Thu Nov 02 19:14:42.839661 2017] [auth_basic:error] [pid 14966] [client 192.168.2.1:62671] AH01618: user testuser not found: /svn/test/


          It've added:

          AuthLDAPBindDN "testuser@mydomain.local"
          AuthLDAPBindPassword "password"


          Why does it seem like its trying to AuthZ from the /svn/test/ directory?

          Comment


          • #20
            What URL are you using?

            Comment


            • #21
              192.168.10.1/svn/test/

              It takes me to the login page but doesn't let me in

              Comment


              • #22
                The browser should pop up a window asking for username and password. Is that happening?

                Comment


                • #23
                  Also, try adding "sub" to the end of the AuthLDAPURL like this:

                  AuthLDAPURL "ldap://192.168.1.1:3289/DC=mydomain,DC=local?uid?sub"

                  Comment


                  • #24
                    Yeah, I do get the window to pop up asking for my username and password

                    I also just tried adding "sub" to the end of the AuthLDAPURL, with and without a question mark.

                    Still getting this error message in the logs

                    [Thu Nov 02 20:54:11.140025 2017] [authnz_ldap:info] [pid 20509] [client 192.168.2.1:63571] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /svn/test/ [User not found][No such object]
                    [Thu Nov 02 20:54:11.140038 2017] [auth_basic:error] [pid 20509] [client 192.168.2.1:63571] AH01618: user testuser not found: /svn/test/
                    [Thu Nov 02 20:54:29.224567 2017] [authz_core:debug] [pid 20510] mod_authz_core.c(809): [client 192.168.2.1:63592] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
                    [Thu Nov 02 20:54:29.224601 2017] [authz_core:debug] [pid 20510] mod_authz_core.c(809): [client 192.168.2.1:63592] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
                    [Thu Nov 02 20:54:29.224639 2017] [authnz_ldap:debug] [pid 20510] mod_authnz_ldap.c(501): [client 192.168.2.1:63592] AH01691: auth_ldap authenticate: using URL ldap://192.168.1.1:389/DC=mydomain,DC=local?uid?sub?
                    [Thu Nov 02 20:54:29.224847 2017] [ldap:debug] [pid 20510] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
                    [Thu Nov 02 20:54:29.619225 2017] [authnz_ldap:info] [pid 20510] [client 192.168.2.1:63592] AH01695: auth_ldap authenticate: user testuser authentication failed; URI /svn/test/ [User not found][No such object]
                    [Thu Nov 02 20:54:29.619241 2017] [auth_basic:error] [pid 20510] [client 192.168.2.1:63592] AH01618: user testusernot found: /svn/test/

                    Comment


                    • #25
                      Those errors are due to not being able to find those account "uid"'s in the LDAP LDIF tree. That would mean that your AD, for some reason, does not like either of those.

                      Comment


                      • #26
                        I ended up having the incorrect AuthLDAPURL, and I also required sAMAccountName as oppose to the uid.

                        Question using SVNParentPath.

                        Would it be possible to have a message when I'm accessing the repo?
                        Example:

                        <Location /svn>

                        SVNParentPath /var/www/svn

                        I have a repo within /var/www/svn called Test2

                        Would there be a way to have a AuthName when I access Test2?

                        Thanks for your help DougR!! Really appreciate it!!
                        Last edited by cortezj; 11-07-2017, 04:30 PM.

                        Comment


                        • #27
                          Now that you're using SVNParentPath the AuthZ file needs a bit of changing to be able to specify different accounts. There's a bit of "path arithmetic" that needs to be taken care of. Since you have "<Location /svn>" and are using SVNParentPath, then the URL will end in "/svn/<repoName" (e.g. "/svn/Test2"). To determine what you need in the header of the sections in your AuthZ file then you subtract the "Location" from the URL ending. In this case "/svn/Test2" - "/svn" = "Test2". That means your AuthZ file headers will take the form of:

                          [Test2:/path]

                          and

                          [test:/path]

                          Any rules where the header has no repository name on the left will be used for ALL REPOS, so be careful about those.

                          As for a "message", where would you expect to see that message? What would you expect it to say? Guess I'm not following.

                          Comment


                          • #28
                            Sorry I must not be asking it correctly.

                            Prior to using SVNParenPath we were just using SVNPath in which we required to edit the subversion config file and added a new <Location /newrepo> every time we wanted to create a new repository.

                            Within each of these we had a AuthName indicating you are accessing this particular repo.

                            Now my question is, when using SVNParentPath is there a way to say "you are accessing Repo1"


                            Also on another note: Not sure if I should start a new thread or note, different topic
                            Is there a way to sync a production SVN server (Windows) to this new one that I've created?

                            Or am I going to have to tell everyone to stop making changes and then I do the cutover?
                            There must be an easier way to do this.



                            Last edited by cortezj; 11-08-2017, 04:32 PM.

                            Comment


                            • #29
                              The Apache "AuthName" directive, according to its manual ([url]https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html[/url]) is defined as: "This directive sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send." Most people set it to something like "Subversion Repos".

                              In general, since your users will need to type the repository name in order to get to the repository using the SVNParentPath they'll know what it is. No more need to describe the repository hidden in the "SVNPath" directive.

                              If you enable browsing of the ParentPath by configuring "SVNListParentPath on" then they'll be able to browse to the "Location" (e.g. "/svn") and see the repositories to which they have access (since 1.7 this list is pruned based on an account's AuthZ to the repository root directory).

                              Per your last question, given you're migrating from Windows to Linux you will need to "svnadmin dump" and "svnadmin load". This is a good thing since it will enable you to make full use of the new 1.9 enhanced repository features. But you are going to need to have a flag day to do this. For a deeper discussion please create a new topic.

                              Comment


                              • #30
                                Ahhh understood makes more sense now.

                                Really appreciate the help DougR!! I'd buy you a coffee if youre around my area lol

                                I'll start a new thread for that discussion.

                                Cheers!

                                Comment

                                Working...
                                X