Hi Community:
I am implementing a svn and git repository servers and users have to access them with their LDAP/AD accounts. Those users are classified by organizational units(OU), that makes in total of 7 OUs.
This setting was set in a file called auth_ldap.conf; for example:
<AuthnProviderAlias ldap ldap-ny>
AuthLDAPURL "ldap://ldap-ldap-address1 ldap-ldap-address2/OU=NewYork,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" "NONE"
AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
AuthLDAPBindPassword password
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-mia>
AuthLDAPURL "ldap://ldap-address1 ldap-ldap-address2/OU=Miami,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" "NONE"
AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
AuthLDAPBindPassword password
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-chi>
AuthLDAPURL "ldap://ldap-ldap-address1 ldap-ldap-address2/OU=Chicago,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" "NONE"
AuthLDAPBindDN "CN=ldapadmin,CN=Users,DC=domain,DC=tld"
AuthLDAPBindPassword password
</AuthnProviderAlias>
Git and SVN calls these providers by using the directive AuthBasicProvider. for example
<Location /svn>
DAV svn
SVNParentPath /svn/repositories
SVNListParentPath on
AuthType Basic
AuthBasicProvider ldap-ny ldap-mia ldap-chi
AuthGroupFile /svn/app/csvn/data/conf/htgroups
Require valid-user
</Location>
After setting the configuration, I am trying to login to an application with the user who belongs to the to Chicago OU group.
However, login as that user I couldn't access correctly giving me an error at the apache log as Password Mismatch. After setting the log at the debug level, I found out that at the moment of the login as Chicago user, apache went through the LDAP OUs to see if the user is present. But still that user couldn't login and the log release the same error, even if the password are correctly set.
By my surprise, Apache accessed only to the first 2 providers mentioned at the list (ldap-ny, ldap-mia) but not to Chicago. And giving the same Password Mismatch.
I made a workaround by moving the Chicago OU call at the AuthBasicProvider directive as follows
AuthBasicProvider ldap-ny ldap-chi ldap-mia
Then I debugged the chicago login, which successfully went through. But based on the issue before mentioned, Miami user are not longer able to login into.
Now, I want to know how to implement the apache ldap login in which goes to every OU instead of the first 2 OU's. The goal is that all users can be able to login into the application no matter the order of the OU call from httpd.conf.
Regards
Darly Senecal-Baptiste
