How would I Add Two "AD" Groups in 1 LDAP Server - authentication

I have installed and configured a subversion in Linux7 and from the front end I am using svn tortoise. From server lever, I want to integrate my subversion with AD.
I have two repositories inside /u01/ciroot/subversion, like DEV_REPO and PROD_REPO.
Also in AD I have two groups; one is OBIEE_DEV and another is OBIEE_PROD. Now I want members of group OBIEE_DEV to access the repository DEV_REPO and members of group OBIEE_PROD
to access the repository DEV_REPO and PROD_REPO (both). So in my AD, under group OBIEE_DEV, I have user1 and user2 both there, but in the AD group OBIEE_PROD I only have user2.
These things are placed properly. But in /etc/httpd/conf.d/subversion.conf file how should I declare this? Below is my subversion.conf file where right now only one group entry is mentioned which is OBIEE_DEV, i want to add entry for group OBIEE_PROD too here. Please guide me how to achieve this.
<pre>
<location /svn>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_DEV,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>
</pre>

First, read the box titled "Do You Really Need Path-Based Access Control?" here: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
But if you still decide you want to do this, that link should help you set this up. But basically, create two location entries: one for each repository. You point each at the group at the AD group that grants that permission.
If you want people in the OBIEE_PROD group to have access to the DEV_REPO too, then just add the OBIEE_PROD group to your OBIEE_DEV group in AD.
This is an example, but I can't guarantee this will work exactly as-is:
<location /svn/DEV_REPO>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_DEV,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>
<location /svn/PROD_REPO>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_PROD,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>

Related

Integrate apache subversion with the active directory in windows server

Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.

Apache URL variable for SVN and LDAP

This is more of a question related to how Apache handles variables and the SetEnvIf directive. I have a Subversion server located at http://test.net/svn with the following configuration for SVN:
<Location /svn>
DAV svn
SVNParentPath /path/to/repo/base
AuthzSVNAccessFile /path/to/access
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://172.20.20.20:389/dc=test,dc=net?uid" NONE
AuthLDAPBindDN "cn=svn,ou=system,dc=test,dc=net"
AuthLDAPBindPassword secret
Require valid-user
</Location>
Inside "/path/to/repo/base", I have around 80 repositories, each accessed by http://test.net/svn/repo-name. This one Apache configuration handles authentication for all of the repositories using the "/path/to/access file".
In the future, I'll do authorization using LDAP groups. However, I don't want to create separate Apache configurations for each repository. Basically, I would like to set a variable for the repository name using the Request URI. For example, I access http://test.net/svn/repo-name/path/to/file.txt and Apache knows that "repo-name" is the variable.
Something like this (syntax is not correct, just pseudo-code):
SetEnvIf Request_URI "http://test.net/svn/$1/.*" repo-name=$1
...
...
Require ldap-group cn=$repo-name,ou=system,dc=test,dc=net

How to disable anonymous checkout with apache svn server

I build a SVN server with apache. It work fine.
I don't want to anonymous could checkout, so I set httpd like
<location /svn>
DAV svn
SVNListParentPath Off
SVNParentPath C:/SVN/
Satisfy All
AuthType Basic
AuthName "Subversion Dir"
AuthUserFile "C:\Program Files (x86)\Subversion\svn-auth-conf.txt"
AuthzSVNAccessFile "C:\Program Files (x86)\Subversion\svn-acl-conf.txt"
Require valid-user
</location>
but I still can checkout by commnd line like
svn co http://repos test
without any username and password
How can I do to solve this issue?
You may have stored credentials for this URL
Remove Satisfy - read "Blanket access control" in SVN Book with sample
AuthName ...
AuthType ...
AuthUserFile ...
Require valid-user

Give Access to folder(s) with LDAP authentification to certain OUs with Apache?

I want to make a web directory protectde by htaccess and LDAP users in certain OU's can access it.
I've googled all day and I couldn't make it happen. I've using Apache 2.2 on Ubuntu Server 10.04 LTS. Here is my htaccess:
AuthType Basic
AuthName "LOGIN"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://SERVER_IP/ou=users,dc=domain,dc=TLD,dc=ccTLD?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=user,dc=domain,dc=TLD,dc=ccTLD"
AuthLDAPBindPassword passwd
#I've tried all of below:
#Require valid-user # This works just fine. But i don't want everyone can login.
#Require ldap-group ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD # Tried this one and failed.
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD) # tried this one and also failed.
Thank you very much.
I found the problem. You shouldn't use brackets around the ldap-filter attribute.
This:
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD)
Should be like this:
Require ldap-filter ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD

How to dynamically set group access in apache2 configuration

I have an apache configuration containing the following directives. It is for a trac environment with multiple projects, each containing a different set of users that are allowed access.
I want to use a wildcard to allow only a defined group access to this environment, how can this be done? Currently my config allowes all users:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require valid-user
</LocationMatch>
But I would like it to read something like:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require Group [^/]
</LocationMatch>
Is this possible?
With Trac, I find it much easier to allow access to everybody in the Apache config and then use Trac's account manager plugin (http://trac-hacks.org/wiki/AccountManagerPlugin) to control access to each project's Trac instance. Revoke all permissions from the 'anonymous' user, and users from group2 won't be able to do anything with group1's Trac instance except see an error page and be prompted to login.
What I would do is the following...
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
AuthGroupFile /home/auth/private.access.groups
Require Group group1 group2
</LocationMatch>
Where the group file /home/auth/private.access.groups is just a simple text (ascii) file, for example it could look like this:
group1: john barry
group2: frank jeremy
I'm not sure it Regular Expressions are possible in Require Group directive (I doubt they are), I always name particular names of groups listed in the group authentication file.