httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49409] New: require ldap-group allowing any group, not just the required group
Date Wed, 09 Jun 2010 02:43:57 GMT

           Summary: require ldap-group allowing any group, not just the
                    required group
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap

While trying to set up SVN access control, I've noticed an oddity.  While
trying to verify that all was working and doing some negative path testing, I
noticed that I could login, even though I was not a member of the group
specified in the "require ldap-group" directive.  I've spent a day googling
this, but I can't find any answers.  Any help would be greatly appreciated, as
this is about to drive me insane.

I'm running CentOS 5.5 final.  $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:59:37) $

>From my apache conf: 

<Location /svn>
  DAV svn
  SVNPath /usr/local/svn
  AuthType Basic
  AuthName "Your Subversion Repository"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  AuthLDAPURL "ldap://<host>:389/dc=jc,dc=com?uid
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require group cn=app,ou=Group,dc=jc,dc=com
  AuthzSVNAccessFile /etc/subversion/repos.acl
  Satisfy all

Group ldif: 

dn: cn=app,ou=Group,dc=jc,dc=com
objectClass: posixGroup
objectClass: top
cn: app
userPassword: {crypt}x
gidNumber: 1004
description: bob

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message