Apache configuration for multi-domain, multi-group access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a simplified Apache configuration that is intended to provide access to Subversion, for users that are members of either of two different ldap groups in two different domains: SVN_Group1 in Domain1 or SVN_Group2 in Domain2. It is not working currently.

    <AuthnProviderAlias ldap ldap-Domain1>
       AuthLDAPBindDN "CN=ServiceAccount1,OU=ServiceAccounts,OU=AD,OU=US,DC=domain1,DC=net"
       AuthLDAPBindPassword password1
       AuthLDAPURL "ldap://domain1:3268/DC=domain1,DC=net?sAMAccountName?sub?(objectClass=*)"
    </AuthnProviderAlias>

    <AuthnProviderAlias ldap ldap-Domain2>
       AuthLDAPBindDN "CN=ServiceAccount2,OU=Service Accounts,DC=domain2,DC=net"
       AuthLDAPBindPassword password2
       AuthLDAPURL "ldap://domain2.net:3268/DC=internal,DC=domain2,DC=net?sAMAccountName?sub?(objectClass=*)"
    </AuthnProviderAlias>

    <Location "/svn">  
       DAV svn
       SVNParentPath D:/Svn/Repository/Data
       AuthType Basic
       AuthName "Subversion Server"
       AuthBasicProvider ldap-Domain1 ldap-Domain2
       AuthzLDAPAuthoritative off
       
       require ldap-group CN=SVN_Group1,OU=Groups,OU=AD,OU=US,DC=domain1,DC=net
       require ldap-group CN=SVN_Group2,OU=Groups,OU=MA,OU=AMER,DC=domain2,DC=net
    </Location>

My Apache error log reports the following errors when I try to access Subversion:

    [Fri Jun 30 14:54:55 2017] [warn] [client <my-ip-address>] [5668] auth_ldap authenticate: user <my-username> authentication failed; URI /svn/repository/tools [User not found][No Such Object]
    [Fri Jun 30 14:54:56 2017] [error] [client <my-ip-address>] access to /svn/repository/tools failed, reason: require directives present and no Authoritative handler.

I am running Apache 2.2.

The Apache modules that are loaded include:
auth_basic_module
authn_alias_module
authn_default_module
authz_default_module
authnz_ldap_module
ldap_module

A configuration which referenced only SVN_Group1 in Domain1 has been working for years.

SVN_Group2 is a universal group.
SVN_Group1 is a domain-local group.

If I remove the "require ldap-group" directives and add "require valid-user" instead, access is granted to users who are not members of either group, which is unacceptable. However that demonstrates that my LDAPBindDN, LDAPBindPassword and LDAPURL entries are correct.

I've tried using the "Satisfy any" directive, but that also grants access to users who are not members of either group.

I've looked at many other discussions of similar configurations, and tried many suggestions I found there, but they have not helped. However I have not found any samples that use multiple ldap-groups located in different domains.

Can anyone propose a solution to this problem?


Sent from Outlook
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux