Results 1 to 10 of 11

Thread: Apache2 LDAP authorization against eDirectory

Threaded View

  1. #1

    Apache2 LDAP authorization against eDirectory


    I'm having trouble configuring Apache2 (for Subversion) to authorize against eDirectory. This is part of my Apache configuration:

    AuthType Basic
    AuthzLDAPAuthoritative On
    AuthBasicProvider ldap
    AuthLDAPURL "ldaps://LDAPServer/o=SomeOU?cn?sub"
    # # require valid user
    # Require valid-user
    # require group membership
    AuthLDAPGroupAttribute member
    Require ldap-group cn=Subversion,o=SomeOU
    Satisfy All

    If I uncomment the line "Require valid-user" any valid eDirectory user can access subversion through Apache2. I want to restrict access to members of "Subversion" group. For some reason this does not work. Here's the log from Apache:

    [Fri Aug 24 12:02:15 2012] [info] Initial (No.1) HTTPS request received for child 0 (server svn.xy.com:443)
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(373): [client] [1253] auth_ldap authenticate: using URL ldaps://LDAPServer/o=SomeOU?cn?sub
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(454): [client] [1253] auth_ldap authenticate: accepting bruno
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(691): [client] [1253] auth_ldap authorise: require group: testing for group membership in "cn=Subversion,o=SomeOU"
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(697): [client] [1253] auth_ldap authorise: require group: testing for member: cn=bruno,o=SomeOU (cn=Subversion,o=SomeOU)
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(713): [client] [1253] auth_ldap authorise: require group "cn=Subversion,o=SomeOU": authorisation failed [Comparison false (adding to cache)][Compare False]
    [Fri Aug 24 12:02:15 2012] [debug] mod_authnz_ldap.c(826): [client] [1253] auth_ldap authorise: authorisation denied

    Authentication phase goes well but testing for group membership fails (I double checked - user bruno is member of Subversion group). Can anyone give me some clue, I've ran out of ideas (tried everything I could think of).

    Thanks in advance,
    Last edited by bsvorinic; 24-Aug-2012 at 11:31 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts