I'll first start with my setup. For this we have 2 servers
Server1 is going to be used for all the sourcecode, files, etc..,
And on Server2 we have all our user information and logins.
Both servers are running on Centos 6.4
Now we want to setup a SVN repository on server1 thats working with apache (httpd) and has a LDAP authentication that uses accounts from server 2.
Previously i set up a CVS repo aswel so i'm 100% sure ldap is working.
My SVN repo is working as it should with apache, but i just can't seem to set my ldap authentication correctly.
I've been looking for a few days now and i don't know what to do anymore.
My /etc/httpd/conf.d/subversion.conf looks like the following
<Location /svn>
DAV svn
SVNPath /var/www/svn/testProject
AuthType Basic
AuthName "My repo"
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthUserFile /var/www/svn-auth-conf
Require valid-user
#AuthzSVNAccessFile /var/www/svn-acces-control
my /etc/openldap/ldap.conf on server1 looks like this
REFERRALS off
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://macserver.intranet.zappware.com
BASE cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com
On server1 i have root access so i am able to setup it up correctly.
When i go to Server2 on my user account i can do a ldapsearch like this
userM$ ldapsearch -x -b cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com
I get all the user accounts on that server
but when i try ldapsearch -x -b cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com -W sAMAccount
Server2 asks me for the LDAP password. But i don't have that password, and our previous IT manager who did all the server stuff, has left the company.
so i thought i could just make another password and put in in the
/etc/openldap/slapd.conf
but when i check that file on server 2 its just empty
Hopefully there is someone who could give me some new and helpfull tips on how to solve this
Ok i solved it
Changed my LDAPURL cause there was no need for me to bind it.
<Location /svn>
DAV svn
SVNPath /var/www/svn/testProject
AuthBasicProvider ldap
AuthType Basic
AuthName "My repo"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com" NONE
Require valid-user
</Location>
I forgot to declare the AuthBasicProvider ldap
hope this can be useful to others
Related
Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
I am running apache on EC2 Redhat Linux.
Server version: Apache/2.2.15
Red Hat Enterprise Linux Server release 6.4 (Santiago)
I have ldap attache to it. I would like to have uses not enter id or password when then type my application url in web browser.
Is there a way to do it?
Here is my httpd.conf
<location />
AuthType Basic
AuthBasicProvider ldap
AuthName "Web Console Authentication"
AuthLDAPBindDN <user>
AuthLDAPBindPassword <password>
AuthLDAPURL <ldapusl>
AuthUserFile /dev/null
require valid-user
</location>
but this needs user to enter ID and password?
Please let me know if you need any information.
Thanks for your help.
Based on your response to comments you're going to need to use mod_ntlm for that
This is more of a question related to how Apache handles variables and the SetEnvIf directive. I have a Subversion server located at http://test.net/svn with the following configuration for SVN:
<Location /svn>
DAV svn
SVNParentPath /path/to/repo/base
AuthzSVNAccessFile /path/to/access
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://172.20.20.20:389/dc=test,dc=net?uid" NONE
AuthLDAPBindDN "cn=svn,ou=system,dc=test,dc=net"
AuthLDAPBindPassword secret
Require valid-user
</Location>
Inside "/path/to/repo/base", I have around 80 repositories, each accessed by http://test.net/svn/repo-name. This one Apache configuration handles authentication for all of the repositories using the "/path/to/access file".
In the future, I'll do authorization using LDAP groups. However, I don't want to create separate Apache configurations for each repository. Basically, I would like to set a variable for the repository name using the Request URI. For example, I access http://test.net/svn/repo-name/path/to/file.txt and Apache knows that "repo-name" is the variable.
Something like this (syntax is not correct, just pseudo-code):
SetEnvIf Request_URI "http://test.net/svn/$1/.*" repo-name=$1
...
...
Require ldap-group cn=$repo-name,ou=system,dc=test,dc=net
I'm trying to run Artifactory behind an Apache proxy with basic auth. I've done this for a few other webapps (Jira, Jenkins, AnthillOS), but am having a problem with Artifactory. The Apache config proxies /artifactory to the stand-alone Artifactory server, and defines basic auth for the /artifactory path:
<Location "/artifactory">
AuthUserFile /prod/data/apachePasswords
AuthName "My Realm"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Location>
Anonymous browsing is activated in Artifactory.
When I attempt access via a web browser, I first receive the authentication dialog from Apache. After successfully entering those credentials, I'm given another authentication dialog, this one for the "Artifactory Realm". After entering credentials for an Artifactory acccount, I'm re-presented the first authentication dialog and the cycle continues.
I'd like to get just the first dialog, then go directly to Artifactory for anonymous browsing. If I disable the authentication in Apache, I can anonymously browse Artifactory, but when I enable basic auth in Apache, I get two separate circular authentication dialogs. Any ideas how I can kill that second dialog?
I ran into the same problem this week. The login for the "Artifactory Realm" is the same as the default login for the Artifactory (admin/password). When you login to the "Artifactory Realm" it will log you into the Artifactory gui. I'm using Artifactory 2.6.5
I had the same issue and fixed it by unsetting the authorization header in the Apache proxy. It looks like the Artifactory is getting upset by this authorization header (from the first dialog) and requires a "good" Artifactory password in the second dialog. Here is my config:
<Location / >
AuthType basic
AuthName "Apache authenticate"
AuthUserFile /var/www/repo.domain.com/.htpasswd
AuthGroupFile /dev/null
Require valid-user
RequestHeader unset Authorization
ProxyPass http://repo.company.local:8081/artifactory/repo/
ProxyPassReverse http://repo.company.local:8081/artifactory/repo/
</Location>
To use the unset header feature mod_headers must be enabled.