LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
LinkBack Search this Thread
Old 02-20-2008, 10:17 AM   #1
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Rep: Reputation: 0
LDAP binding error with Apache & Subversion


I'm trying to get Apache to authenticate Via LDAP in Active Directory (sigh). I'm getting the following error when someone attempts to commit a change in Subversion using an Eclipse client:

[emerg] [client xxx.xx.xx.xx] cannot bind to [13929] LDAP Server as CN=user name,CN=Users,DC=mydomain,DC=com/password: 49

[Wed Feb 20 10:49:19 2008] [crit] [client xxx.xx.xx.xx] [13929] no ldap connection

I've verified the username and password in Active directory. I have also verified that the combination can log in on the domain.


Any suggestions?
 
Old 02-20-2008, 01:21 PM   #2
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Well this is a very complex problem. There are many things that could be effecting this. Let's start from the top.

1. Is your SVN server joined to the domain and are you able to send and receive tickets, users, and groups?

2. Is you Apache Configured Correctly?
Code:
APACHE2_OPTS="-D SSL -D PHP4 -D DAV -D DAV_FS -D SVN -D DAV_SVN -D LDAP -D AUTH_LDAP"
3. Does your SVN config look something like this?
Code:
<IfDefine SVN>
<Location /svn/repo>
DAV svn
SVNPath /var/svn/repo
AuthType Basic
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "Authorize Me"
AuthLDAPURL
ldap://domain.com:389/OU=IT,OU=MainOffice,OU=Locations,OU=Corporate,DC=domainname,DC=com?samAccountName?sub?(objectCategory=person)
AuthLDAPBindDN "CN=webuser,OU=Resources,OU=Corporate,OU=AOM,DC=domain,DC=com"
AuthLDAPBindPassword xxxxxxxxxxx
Require valid-user
</Location>
</IfDefine>
4.Is there any more information in the logs?

-weisso
 
Old 02-20-2008, 01:38 PM   #3
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Yes=the system is on the domain and authenticates users against the domain for logins and SMB.

httpd version= 2.0.52

subversion = 1.1-4.2

(I neglected to provide the versions)

I'm configuring this on a RHEL4 system and the subversion configuration is being configured in /etc/httpd/conf.d/subversion.conf.

I reviewed your svn config and noted that there were a few items that I did not have in the configuration file. The URL and a few and the following lines:
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all

I'll add those suggestions and try again. As a side note we have another system using the same setup and it works without any problems. (The httpd version is the same, but the Subversion is 1.1-2.1.

Thanks for the quick reply.
 
Old 02-20-2008, 01:49 PM   #4
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
can you post your httpd.conf file?

Also do you have a special permission schemes?
Example:
Location "/useraccess">
AuthName "user permissions"
require user larry bill sam
</Location>
 
Old 02-20-2008, 01:56 PM   #5
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
I don't have the special permission. Here is what I have in the subversion.conf file:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn". Each repository
# must be readable and writable by the 'apache' user. Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www. Use "restorecon -R /var/www/svn"
# to label the repositories if upgrading from a previous release.
#

#
# To create a new repository "http://localhost/repos/stuff" using
# this configuration, run as root:
#
# # cd /var/www/svn
# # svnadmin create stuff
# # chown -R apache.apache stuff
#

<Location /svn>
DAV svn
SVNPath /work10/svn

AllowOverride None
order allow,deny
allow from all



# Limit write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>

Require valid-user
# Require SSL connection for password protection.
# SSLRequireSSL

AuthType Basic


AuthzLDAPServer domaincntrlrname.mydomain.com
AuthzLDAPBindDN "CN=adldapsvn ,CN=Users,DC=mydomain,DC=com"
AuthzLDAPBindPassword password

AuthzLDAPUserScope subtree
AuthzLDAPUserBase CN=Users,DC=mydomain,DC=com
AuthzLDAPUserKey sAMAccountName

AuthType basic
AuthName "Subversion Repository"

</LimitExcept>



This subversion.conf file is essentially the same (except for the 3 lines added at the left margin at your suggestion) as the config file on the system that works.
 
Old 02-20-2008, 02:10 PM   #6
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Well a fews things:

1. you don't close out Location.
2. let's try an IFDefine.
3. Did you compile httpd with -mpm-worker mpm-prefork?

Try this config:

Code:
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<IfDefine SVN>
<Location /svn>
DAV svn
SVNPath /work10/svn
AuthType Basic
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "Subversion Repository"
Require valid-user

AuthzLDAPServer domaincntrlrname.mydomain.com
AuthzLDAPBindDN "CN=adldapsvn,CN=Users,DC=mydomain,DC=com"
AuthzLDAPBindPassword password

AuthzLDAPUserScope subtree
AuthzLDAPUserBase CN=Users,DC=mydomain,DC=com
AuthzLDAPUserKey sAMAccountName

</Location>
</IfDefine>
 
Old 02-21-2008, 07:31 AM   #7
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
The <IfDefine> caused the repository to disappear from view when using the SVN client. httpd was compiled as follows:
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
 
Old 02-21-2008, 08:41 AM   #8
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Try removing the IfDefine and see what happens.
 
Old 02-21-2008, 10:07 AM   #9
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
The repository returned after I removed the <IfDefine>.
 
Old 02-21-2008, 10:14 AM   #10
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Can they Checkout?
 
Old 02-21-2008, 11:37 AM   #11
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Yes. They can browse and checkout. We're getting this error:

[Thu Feb 21 12:27:55 2008] [crit] [client xxx.xxx.xxx.xxx] configuration error: couldn't check user. No user file?: /svn/!svn/act/b96572f8-7620-4345-a7e4-2e43e831776a

The subversion.conf contains the following at this point:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so


<Location /svn>
DAV svn
SVNPath /work10/svn
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
AuthType Basic

AuthzLDAPServer domaincntrlrname.mydomain.com
AuthzLDAPBindDN "CN=adldapsvn,CN=Users,DC=mydomain,DC=com"
AuthzLDAPBindPassword password

AuthzLDAPUserScope subtree
AuthzLDAPUserBase CN=Users,DC=mydomain,DC=com
AuthzLDAPUserKey sAMAccountName
AuthName "Subversion Repository"

</LimitExcept>
</Location>
 
Old 02-21-2008, 01:16 PM   #12
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Interesting lets try something,

1. confirm that apache is the owner/user recursively throughout the repo:
in your case: chown -R apache:apache /work10/svn/

2. Try and commit

3. If you are still getting that error let's try this:
A. Add this line of code to config file
AuthzSVNAccessFile /var/svn/conf/svnpolicy
B. mkdir /var/svn/conf (if you don't have one already)
c. vim or nano /var/svn/conf/svnpolicy
d. Example File:
Quote:
[groups]
apache = tim,bob,sue,sarah
readgroup = phil,henry

[*:/]
@apache = rw

[repo1:/]
@apache = rw

[repo2:/]
@apache = rw
@readgroup = r
Please post back any results.

-weisso
 
Old 02-25-2008, 09:59 AM   #13
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
The config file check barked at the AuthzSVNAccessFile directive. All of the files in /work10/svn are owned by the apache and group.
 
Old 02-26-2008, 09:16 AM   #14
weisso5
Member
 
Registered: Oct 2007
Location: New York City
Distribution: Gentoo, FC
Posts: 133

Rep: Reputation: 16
Just to confirm:

1. Every user can browse, commit, and checkout?

2. If so, then can you commit in Eclipse?
 
Old 02-26-2008, 09:17 AM   #15
rangel59
LQ Newbie
 
Registered: Jul 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Browsing and checkout works without a problem. It's the commit that is the problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
subversion with apache 2.2.4 neocontrol Linux - Server 1 07-02-2007 04:27 PM
authenticating through one ldap server that uses other ldap servers & active director dreamm Linux - Server 1 02-21-2007 08:22 AM
help with php & apache & LDAP scrupul0us Slackware 5 11-15-2006 06:37 PM
Help binding tomcat with apache colombo187 General 1 02-19-2006 03:07 AM
LDAP not binding shane200_ Suse/Novell 1 08-09-2005 10:56 AM


All times are GMT -5. The time now is 09:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration