Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
Related
I have installed and configured a subversion in Linux7 and from the front end I am using svn tortoise. From server lever, I want to integrate my subversion with AD.
I have two repositories inside /u01/ciroot/subversion, like DEV_REPO and PROD_REPO.
Also in AD I have two groups; one is OBIEE_DEV and another is OBIEE_PROD. Now I want members of group OBIEE_DEV to access the repository DEV_REPO and members of group OBIEE_PROD
to access the repository DEV_REPO and PROD_REPO (both). So in my AD, under group OBIEE_DEV, I have user1 and user2 both there, but in the AD group OBIEE_PROD I only have user2.
These things are placed properly. But in /etc/httpd/conf.d/subversion.conf file how should I declare this? Below is my subversion.conf file where right now only one group entry is mentioned which is OBIEE_DEV, i want to add entry for group OBIEE_PROD too here. Please guide me how to achieve this.
<pre>
<location /svn>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_DEV,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>
</pre>
First, read the box titled "Do You Really Need Path-Based Access Control?" here: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
But if you still decide you want to do this, that link should help you set this up. But basically, create two location entries: one for each repository. You point each at the group at the AD group that grants that permission.
If you want people in the OBIEE_PROD group to have access to the DEV_REPO too, then just add the OBIEE_PROD group to your OBIEE_DEV group in AD.
This is an example, but I can't guarantee this will work exactly as-is:
<location /svn/DEV_REPO>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_DEV,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>
<location /svn/PROD_REPO>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_PROD,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global
Resources,DC=macgroup,DC=local"
AuthLDAPBindPassword password_of_ldap_server
Require valid-user
</location>
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
This is more of a question related to how Apache handles variables and the SetEnvIf directive. I have a Subversion server located at http://test.net/svn with the following configuration for SVN:
<Location /svn>
DAV svn
SVNParentPath /path/to/repo/base
AuthzSVNAccessFile /path/to/access
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://172.20.20.20:389/dc=test,dc=net?uid" NONE
AuthLDAPBindDN "cn=svn,ou=system,dc=test,dc=net"
AuthLDAPBindPassword secret
Require valid-user
</Location>
Inside "/path/to/repo/base", I have around 80 repositories, each accessed by http://test.net/svn/repo-name. This one Apache configuration handles authentication for all of the repositories using the "/path/to/access file".
In the future, I'll do authorization using LDAP groups. However, I don't want to create separate Apache configurations for each repository. Basically, I would like to set a variable for the repository name using the Request URI. For example, I access http://test.net/svn/repo-name/path/to/file.txt and Apache knows that "repo-name" is the variable.
Something like this (syntax is not correct, just pseudo-code):
SetEnvIf Request_URI "http://test.net/svn/$1/.*" repo-name=$1
...
...
Require ldap-group cn=$repo-name,ou=system,dc=test,dc=net
I build a SVN server with apache. It work fine.
I don't want to anonymous could checkout, so I set httpd like
<location /svn>
DAV svn
SVNListParentPath Off
SVNParentPath C:/SVN/
Satisfy All
AuthType Basic
AuthName "Subversion Dir"
AuthUserFile "C:\Program Files (x86)\Subversion\svn-auth-conf.txt"
AuthzSVNAccessFile "C:\Program Files (x86)\Subversion\svn-acl-conf.txt"
Require valid-user
</location>
but I still can checkout by commnd line like
svn co http://repos test
without any username and password
How can I do to solve this issue?
You may have stored credentials for this URL
Remove Satisfy - read "Blanket access control" in SVN Book with sample
AuthName ...
AuthType ...
AuthUserFile ...
Require valid-user
I want to make a web directory protectde by htaccess and LDAP users in certain OU's can access it.
I've googled all day and I couldn't make it happen. I've using Apache 2.2 on Ubuntu Server 10.04 LTS. Here is my htaccess:
AuthType Basic
AuthName "LOGIN"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://SERVER_IP/ou=users,dc=domain,dc=TLD,dc=ccTLD?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=user,dc=domain,dc=TLD,dc=ccTLD"
AuthLDAPBindPassword passwd
#I've tried all of below:
#Require valid-user # This works just fine. But i don't want everyone can login.
#Require ldap-group ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD # Tried this one and failed.
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD) # tried this one and also failed.
Thank you very much.
I found the problem. You shouldn't use brackets around the ldap-filter attribute.
This:
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD)
Should be like this:
Require ldap-filter ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD