Discussion:
ldap auth with one read-only user
Anja Gawlik
2010-01-26 14:12:09 UTC
Permalink
Hello everybody,

I have subversion running with ldap auth against our active directory. The
normal setup with a require ldap-group worked fine. Now I shall add one
read-only user for nightly builds and it just won't work. Here is my config:

***************************************************************
<Location /test>

DAV svn
SVNPath /svn-repositories/test
#authentication defaults for our repositories
AddDefaultCharset UTF-8
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative on
AuthName "Subversion "
AuthLDAPURL "ldap://domain.us.com/ou=Users,DC=US,DC=COM?sAMAccountName?sub"
AuthLDAPBindDN CN=apache,CN=Users,DC=US,DC=COM
AuthLDAPBindPassword somepw
AuthLDAPGroupAttribute member


#<Limit GET PROPFIND OPTIONS REPORT>
require valid user
#</Limit>

<LimitExcept GET PROPFIND OPTIONS REPORT>
require ldap-group CN=intern,CN=Users,DC=US,DC=COM
</LimitExcept>


</Location>
****************************************************************

For the last 2 days have tried all combinations of Limit and
LimitExcept and require ldap-attribute sAMAccountname=nightlyuser
and all the like, but it just won't work.

Nightlyuser shall be read-only, all the other ldap-users (who are
in group intern, where nightlyuser is not a member) shall have full
access.
Can somebody help me with this?

Schönen Gruß,

Anja
Johan Corveleyn
2010-01-27 12:15:21 UTC
Permalink
Post by Anja Gawlik
Hello everybody,
I have subversion running with ldap auth against our active directory. The
normal setup with a require ldap-group worked fine. Now I shall add one
***************************************************************
<Location /test>
DAV svn
SVNPath /svn-repositories/test
#authentication defaults for our repositories
AddDefaultCharset UTF-8
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative on
AuthName "Subversion "
AuthLDAPURL "ldap://domain.us.com/ou=Users,DC=US,DC=COM?sAMAccountName?sub"
AuthLDAPBindDN CN=apache,CN=Users,DC=US,DC=COM
AuthLDAPBindPassword somepw
AuthLDAPGroupAttribute member
#<Limit GET PROPFIND OPTIONS REPORT>
require  valid user
#</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
require ldap-group CN=intern,CN=Users,DC=US,DC=COM
</LimitExcept>
</Location>
****************************************************************
For the last 2 days have tried all combinations of Limit and
LimitExcept and require ldap-attribute sAMAccountname=nightlyuser
and all the like, but it just won't work.
Nightlyuser shall be read-only, all the other ldap-users (who are
in group intern, where nightlyuser is not a member) shall have full
access.
Can somebody help me with this?
That should be "valid-user", and not "valid user". See
http://httpd.apache.org/docs/2.2/mod/core.html#require.

Also, I hope that "nightlyuser" is a user in the LDAP, somewhere under
ou=Users,DC=US,DC=COM ?

If you still can't get it to work, I suggest you first try to connect
with a regular browser (just surfing to $REPO_URL), and try to
authenticate with "nightlyuser" and its password. Just to eliminate
your nightly build system from the equation ...

HTH
Regards,
Johan
Anja Gawlik
2010-01-27 15:12:58 UTC
Permalink
-----Ursprüngliche Nachricht-----
Von: Johan Corveleyn [mailto:***@gmail.com]
Gesendet: Mittwoch, 27. Januar 2010 13:15
An: Anja Gawlik
Cc: ***@subversion.apache.org
Betreff: Re: ldap auth with one read-only user
Post by Johan Corveleyn
Post by Anja Gawlik
For the last 2 days have tried all combinations of Limit and
LimitExcept and require ldap-attribute sAMAccountname=nightlyuser
and all the like, but it just won't work.
Nightlyuser shall be read-only, all the other ldap-users (who are
in group intern, where nightlyuser is not a member) shall have full
access.
Can somebody help me with this?
If you still can't get it to work, I suggest you first try to connect
with a regular browser (just surfing to $REPO_URL), and try to
authenticate with "nightlyuser" and its password. Just to eliminate
your nightly build system from the equation ...
Thank you very much, this finally pointed me to the core of the problem:
my setup was actually working all the time, but tortoise asks for a
password for every single action in the background (had password cache
switched off for testing), so I had to enter it 5 or 6 times for a
look into the repo-browser.. after the second password prompt I always
gave up and thought it wasn't working...

Thanks again!

Greetz, Anja

Loading...