how to allow unamed user in svn authz file? - authentication

I have a subversion server running with apache. It authenticates users using LDAP in apache configuration and uses SVN authorizations to limit user access to certain repositories. This works perfectly.
Apache
DAV svn
SVNParentPath /srv/svn
SVNListParentPath Off
SVNPathAuthz Off
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthLDAPBindDN # private stuff
AuthLDAPBindPassword # private stuff
AuthLDAPURL # private stuff
Require valid-user
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
Subversion
[groups]
soft = me, and, all, other, developpers
Adding anonymous access from one machine
Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added apache configuration to allow all accesses from this machine. This did not work until I add an additional line in the authorization file to allow read access to all users.
Apache
<Limit GET PROPFIND OPTIONS REPORT>
Order allow,deny
Allow from # private IP address
Satisfy Any
</Limit>
Subversion
[Software:/]
#soft = rw
* = r # <-- This is the added line
For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the - user name in the apache log files, but the line - = r does not work, neither do anonymous = r. I'd like not to allow read access to everyone in SVN authorization. How can I do this?

Try putting this in your authz file:
[Software:/]
#soft = rw
$anonymous=r

Related

BasicAuth with "ldap file" providers doesn't work for users in file

I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.

Integrate apache subversion with the active directory in windows server

Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.

SVN Repo works without authentication

I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.

Apache ignores 'require user'

We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)

Apache + Perl + NTLM/LDAP == Single signon?

We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
NTLM Winbind
I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>
More info about the module.
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b