httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darly Senecal Baptiste <>
Subject [users@httpd] LDAP Login Access by Organization Unit
Date Fri, 30 May 2014 21:32:43 GMT
Hi Community:

I am implementing a svn and git repository servers and users have to access
them with their LDAP/AD accounts. Those users are classified by
organizational units(OU), that makes in total of 7 OUs.

This setting was set in a file called auth_ldap.conf; for example:

<AuthnProviderAlias ldap ldap-ny>
> "ldap://ldap-ldap-address1 ldap-ldap-address2/OU=NewYork,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)"
> "NONE"
>   AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
>   AuthLDAPBindPassword password
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-mia>
> "ldap://ldap-address1 ldap-ldap-address2/OU=Miami,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)"
> "NONE"
>   AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
>   AuthLDAPBindPassword password
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-chi>
> "ldap://ldap-ldap-address1 ldap-ldap-address2/OU=Chicago,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)"
> "NONE"
>   AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
>   AuthLDAPBindPassword password
> </AuthnProviderAlias>

Git and SVN calls these providers by using the directive AuthBasicProvider.
for example

<Location /svn>
>    DAV svn
>    SVNParentPath /svn/repositories
>    SVNListParentPath on
>    AuthType Basic
> *   AuthBasicProvider ldap-ny ldap-mia ldap-chi *   AuthGroupFile
> /svn/app/csvn/data/conf/htgroups
>    Require valid-user
>  </Location>

After setting the configuration, I am trying to login to an application
with the user who belongs to the to Chicago OU group.

However, login as that user I couldn't access correctly giving me an error
at the apache log as Password Mismatch. After setting the log at the debug
level, I found out that at the moment of the login as Chicago user, apache
went through the LDAP OUs to see if the user is present. But still that
user couldn't login and the log release the same error, even if the
password are correctly set.

By my surprise, Apache accessed only to the first 2 providers mentioned at
the list (ldap-ny, ldap-mia) but not to Chicago. And giving the same
Password Mismatch.

I made a workaround by moving the Chicago OU call at the AuthBasicProvider
directive as follows

*AuthBasicProvider ldap-ny **ldap-chi** ldap-mia *

Then I debugged the chicago login, which successfully  went through. But
based on the issue before mentioned, Miami user are not longer able to
login into.

Now, I want to know how to implement the apache ldap login in which goes to
every OU instead of the first 2 OU's. The goal is that all users can be
able to login into the application no matter the order of the OU call from


Darly Senecal-Baptiste

View raw message