LinuxQuestions.org - Apache/SVN LDAP authentification

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Apache/SVN LDAP authentification (https://www.linuxquestions.org/questions/linux-server-73/apache-svn-ldap-authentification-823940/)

Apache/SVN LDAP authentification

Hi There,

I am looking to build a new SVN server with LDAP autehntification in our entreprise. I already did that in smaller corporations but at that time I had total controll over the MS AD server we where using.

As for now, I don't. And what I need is : AuthLDAPBindPassword "SecretPass".
I know they wont give it me for obvious reason...

Now, is there any other way to use that type of configuration without the master AD password ? Or is there any way to get that kind of pass for a specific OU section ?

I know that is more of a MS product question kind of but since some peoples here probably faced that issue...

Here is the config I would use in my Apache config file :

Quote:

<Location /repos>
# Enable Subversion
DAV svn

# Directory containing all repository for this path
SVNParentPath /absolute/path/to/directory/containing/your/repositories

# LDAP Authentication & Authorization is final; do not check other databases
AuthLDAPAuthoritative on

# Do basic password authentication in the clear
AuthType Basic

# The name of the protected area or "realm"
AuthName "Your Subversion Repository"

# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"

# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword somepassword

# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

# Require authentication for this Location
Require valid-user
</Location>

Regards,

Did you try mod_auth_sspi? Instead of directly accessing the AD via LDAP, it uses windows' own authentication mechanisms. Working great for my svn repo in the company :)

edit: it requires the machine running apache is a win32 host and member of the domain you want to authenticate with...

Quote:

Originally Posted by zirias (Post 4054649)

OP is trying to make SVN work on Linux, and the mod_auth_sspi only works with Windows, so its not the case.

To make ldap authentication work, you should make a normal user (no special privilege) in the AD so that it can traverse the AD, because you cannot traverse AD anonymously. For your reference i have mentioned below my SVN running config in Apache, i have made a user named "access" in AD just for using it with SVN LDAP authentication process.

My running config for SVN and LDAP is

Code:

#18

<Location /SVNrepo>

DAV svn

SVNPath /var/SVN

AuthzSVNAccessFile /etc/svn-acl

AuthType Basic

AuthName "My Source Repo"

AuthBasicProvider ldap

AuthzLDAPAuthoritative on

AuthLDAPURL "ldap://domain controller/OU=domain controllers,DC=my,DC=com?sAMAccountName?sub?(objectClass=*)"

AuthLDAPBindDN "access@my.com"

AuthLDAPBindPassword "password of user access@my.com"

require ldap-group CN=All,OU=Domain Controllers,DC=my,DC=com

</Location>

Hi saifkhan123,

Thank you verry much. This is exactly what I was looking for ! :)
will try that ASAP and let you guy's know.

Best Regards !