>
> My goal(s):
> 1. Allow only 1 specific, Active Directory, group access to the
> repository.
That should work out fine.
> 2. Simultaneously, allow a single user account, that is not a member
> of the group, access to the repository
Given that the condition is ``Simultaneously'' I'm not entirely sure
this will work. It might be pure chance.
Only starting 2.3 there where possibilities added to make this kind
of thing easily configurable, i.e.: <RequireAny> and <RequireAll>
> My attempts:
> 1. Configuration, as above, allows any valid user access to the
> repository; whether they are a member of the group or not.
>
> 2. If I remove "Require valid-user" then I receive an error
when
> attempting access the repository and the error.log is as follows:
> [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377): [client
> 20.8.xxx.18x] [27994] auth_ldap authenticate: using URL
> ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
> [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474): [client
> 20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss
> [Mon Nov 15 14:38:15 2010] [crit] [client 20.8.232.187] configuration
> error: couldn't check access. No groups file?: /test_repo/
>
> 3. I tried a "LimitExcept" block, shown below.
Please don't do that. Limit/LimitExcept are broken.
While we're all working hard to fix it in 2.3, let's concentrate on the
important things.
> <Location /test_repo>
> dav svn
> SVNPath /disk01/home/test_repo
> AuthType Basic
> AuthName "Subversion Repository"
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative on
> #Require valid-user
> # Limit R/W access to specified AD group
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=Active_Directory Group
> Name,OU=U.S.,OU=Groups,DC=domain,DC=com
> </LimitExcept>
> #Require ldap-user pmoss
> </Location>
> I could successfully gain access to the repository, and I am not a
> member of the group.
>
> 4. I uncommented the "Require valid-user" line and was,
again,
> successful in attempting access; and I am not a member of the group.
>
> 5. If I change the AuthzLDAPAuthoritative to off, I can still gain
> access to the repository.
>
>
> In my httpd.conf, I have the following modules:
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule dav_module modules/mod_dav.so
> LoadModule dav_fs_module modules/mod_dav_fs.so
> LoadModule cgi_module modules/mod_cgi.so
Same for these two:
> LoadModule authn_file_module modules/mod_authn_file.so
> LoadModule authz_owner_module modules/mod_authz_owner.so
> LoadModule authz_user_module modules/mod_authz_user.so
> LoadModule alias_module modules/mod_alias.so
>
>
> I've been searching around for answers but nothing seems to be solving
> my problem.
>
> I believe I have all the modules loaded that need to be there.
> I am not sure what I may be missing from my configuration or what
may
> be mis-configured. Hopefully someone can help me in achieving the
> goals.
>
> Thanks in advance.
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html>
for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
