httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Un Spammable <unspamma...@outlook.com>
Subject [users@httpd] Apache configuration for multi-domain, multi-group access
Date Wed, 05 Jul 2017 19:04:28 GMT
This is a simplified Apache configuration that is intended to provide access to Subversion,
for users that are members of either of two different ldap groups in two different domains:
SVN_Group1 in Domain1 or SVN_Group2 in Domain2. It is not working currently.

    <AuthnProviderAlias ldap ldap-Domain1>
       AuthLDAPBindDN "CN=ServiceAccount1,OU=ServiceAccounts,OU=AD,OU=US,DC=domain1,DC=net"
       AuthLDAPBindPassword password1
       AuthLDAPURL "ldap://domain1:3268/DC=domain1,DC=net?sAMAccountName?sub?(objectClass=*)"
    </AuthnProviderAlias>

    <AuthnProviderAlias ldap ldap-Domain2>
       AuthLDAPBindDN "CN=ServiceAccount2,OU=Service Accounts,DC=domain2,DC=net"
       AuthLDAPBindPassword password2
       AuthLDAPURL "ldap://domain2.net:3268/DC=internal,DC=domain2,DC=net?sAMAccountName?sub?(objectClass=*)"
    </AuthnProviderAlias>

    <Location "/svn">
       DAV svn
       SVNParentPath D:/Svn/Repository/Data
       AuthType Basic
       AuthName "Subversion Server"
       AuthBasicProvider ldap-Domain1 ldap-Domain2
       AuthzLDAPAuthoritative off

       require ldap-group CN=SVN_Group1,OU=Groups,OU=AD,OU=US,DC=domain1,DC=net
       require ldap-group CN=SVN_Group2,OU=Groups,OU=MA,OU=AMER,DC=domain2,DC=net
    </Location>

My Apache error log reports the following errors when I try to access Subversion:

    [Fri Jun 30 14:54:55 2017] [warn] [client <my-ip-address>] [5668] auth_ldap authenticate:
user <my-username> authentication failed; URI /svn/repository/tools [User not found][No
Such Object]
    [Fri Jun 30 14:54:56 2017] [error] [client <my-ip-address>] access to /svn/repository/tools
failed, reason: require directives present and no Authoritative handler.

I am running Apache 2.2.

The Apache modules that are loaded include:
auth_basic_module
authn_alias_module
authn_default_module
authz_default_module
authnz_ldap_module
ldap_module

A configuration which referenced only SVN_Group1 in Domain1 has been working for years.

SVN_Group2 is a universal group.
SVN_Group1 is a domain-local group.

If I remove the "require ldap-group" directives and add "require valid-user" instead, access
is granted to users who are not members of either group, which is unacceptable. However that
demonstrates that my LDAPBindDN, LDAPBindPassword and LDAPURL entries are correct.

I've tried using the "Satisfy any" directive, but that also grants access to users who are
not members of either group.

I've looked at many other discussions of similar configurations, and tried many suggestions
I found there, but they have not helped. However I have not found any samples that use multiple
ldap-groups located in different domains.

Can anyone propose a solution to this problem?



Sent from Outlook<http://aka.ms/weboutlook>

Mime
View raw message