locking down access to a repository
I think this is the correct mailing list for this question. I am LDAP authenticating against 2 domain controllers; in 2 different locations. I thought that I was locking down each repository to allow only users, included in a specific AD group, to have read/write access to a repository. I say supposedly because apparently the second part is not working. Right now, anyone can access any repository. Can someone lend a hand in figuring out what I have done wrong, or need to do? Here is what I have: I've configured my ldap aliases as follows: AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) AuthLDAPBindDN "CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com" AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) Then in each, specific repositorry configuration file, I have the following: dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName "CSC Subversion Repository" Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss I thought the "Require ldap-group" line locked access down to allow only the users in the group access to the repo. That is not the case though. Everyone can access any repository; as long as they have an FCGNET account. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. I tried removing the "Require valid-user" line; but that then doesn't allow any access. Have any clues what I am doing wrong? Thanks. PATI MOSS System Engineer Sr. Professional CSC
Re: locking down access to a repository
>I don't think you want the "Require valid-user" line, since by default it uses >ANY of the Require lines as matches. (And in your case valid-user matches all >users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 10:38 AM Subject: Re: locking down access to a repository Stefan Sperling wrote on 11/09/2010 08:34:37 AM: > > I've configured my ldap aliases as follows: > > > > AuthLDAPBindDN FCGNET\svnuser > > AuthLDAPBindPassword x > > AuthLDAPURL > > ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? > > (objectCategory=person) > > > > > > AuthLDAPBindDN "CN=fcgvuser,OU=Service > > Accounts,OU=Users,OU=Production,DC > > =vdc,DC=csc,DC=com" > > AuthLDAPBindPassword xxx > > AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa > > mAccountName?sub?(objectCategory=person) > > > > > > Then in each, specific repositorry configuration file, I have the > > following: > > > > dav svn > > SVNPath /disk01/home/FDCertifications > > AuthType Basic > > AuthBasicProvider ldap-FCGNET ldap-VIET > > AuthzLDAPAuthoritative off > > AuthName "CSC Subversion Repository" > > Require valid-user > > Require ldap-group CN=PRJ > > FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com > > Require ldap-user pmoss > > I don't think you want the "Require valid-user" line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) Kevin R.
Re: locking down access to a repository
I don't know if I replied correctly the first time: >First. LDAP (authentication) is only 1/2 of the big picture. You will >still need configure authorization on the repo's themselves. I have done that. Each repo have it's own configuration file. That is this portion: dav svn SVNPath /disk01/home/repository_name AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName "CSC Subversion Repository" Require valid-user Require ldap-group CN=AD Goup Name,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss >Second, Its hard to help troubleshoot when you don't provide useful >information or a direct question. Was there something you needed help >with? I didnt see any questions other than "Can someone lend a hand in >figuring out what I have done wrong, or need to do?" 1. I need to be able to lock down each repository to allow only the users, within the associated AD group, to have access to the repository. 2. At the same time I need to be able to allow my, single, user account access to the repositories, without having to be added to every AD group. I have not done that successfully. Right now all users can access all repositories, What I have tried so far: I thought the "Require ldap-group" line locked access down to allow only the users in the group access to the repo. That is not the case. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. So, I added the lines to the very first repository configuration file. I tried removing the "Require valid-user" line; but that then doesn't allow any access at all. PATI MOSS System Engineer Sr. Professional CSC 575 E. Swedesford Road, Suite 300, Wayne, PA 19464 GIS | p: 610.989.7105 | f: 610.989.7100 | pmo...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: opensrcguru To: Patricia A Moss/USA/c...@csc Date: 11/09/2010 09:22 AM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss wrote: > > I think this is the correct mailing list for this question. > > I am LDAP authenticating against 2 domain controllers; in 2 different > locations. > I thought that I was locking down each repository to allow only users, > included in a specific AD group, to have read/write access to a repository. > I say supposedly because apparently the second part is not working. Right > now, anyone can access any repository. Can someone lend a hand in figuring > out what I have done wrong, or need to do? > Here is what I have: > I've configured my ldap aliases as follows: > > AuthLDAPBindDN FCGNET\svnuser > AuthLDAPBindPassword x > AuthLDAPURL > ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? > (objectCategory=person) > > > AuthLDAPBindDN "CN=fcgvuser,OU=Service > Accounts,OU=Users,OU=Production,DC > =vdc,DC=csc,DC=com" > AuthLDAPBindPassword xxx > AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa > mAccountName?sub?(objectCategory=person) > > > Then in each, specific repositorry configuration file, I have the following: > > dav svn > SVNPath /disk01/home/FDCertifications > AuthType Basic > AuthBasicProvider ldap-FCGNET ldap-VIET > AuthzLDAPAuthoritative off > AuthName "CSC Subversion Repository" > Require valid-user > Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com > Require ldap-user pmoss > > > I thought the "Require ldap-group" line locked access down to allow only the > users in the group access to the repo. That is not the case though. > Everyone can access any repository; as long as they have an FCGNET account. > > I tried adding the AuthnProviderAlias lines to each config file, but I get > an error because it only needs to be defined once. > I tried removing the "Require valid-user" line; but that then doesn't allow > any access. > Have any clues what I am doing wrong? Thanks. > > > > PATI MOSS > System Engineer Sr. Professional > CSC First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. These may be of assistance in configuring authorization (depending on your needs): http://svnbook.red-bean.com/nightly/en/svn-book.ht
Re: locking down access to a repository
I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss wrote on 11/09/2010 09:41:42 AM: > From: Patricia A Moss > To: kmra...@rockwellcollins.com > Cc: users@subversion.apache.org > Date: 11/09/2010 09:41 AM > Subject: Re: locking down access to a repository > > > >I don't think you want the "Require valid-user" line, since by > default it uses > >ANY of the Require lines as matches. (And in your case valid-user > matches all > >users so it doesn't care you are also specifying a group and an user.) > > But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL "ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"; AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R.
Re: locking down access to a repository
I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again. >First. LDAP (authentication) is only 1/2 of the big picture. You will >still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName "CSC Subversion Repository" Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss I have defined the LDAP Aliases in the very first repository configuration file; as such: AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) AuthLDAPBindDN "CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com" AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) >Second, Its hard to help troubleshoot when you don't provide useful >information or a direct question. Was there something you needed help >with? I didnt see any questions other than "Can someone lend a hand in >figuring out what I have done wrong, or need to do?" I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the "Require valid-user" line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss wrote on 11/09/2010 09:41:42 AM: > From: Patricia A Moss > To: kmra...@rockwellcollins.com > Cc: users@subversion.apache.org > Date: 11/09/2010 09:41 AM > Subject: Re: locking down access to a repository > > > >I don't think you want the "Require valid-user" line, since by > default it uses > >ANY of the Require lines as matches. (And in your case valid-user > matches all > >users so it doesn't care you are also specifying a group and an user.) > > But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL "ldap:// ad.example.com/ou=group,dc=example,dc=com?sAMAccountName" AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know how their systems are configured). If there is such a wonderful beasty, I'd be mighty interested in meeting them. /OSG
Re: locking down access to a repository
I was trying to go back and answer your very first response and then go from there. My first reply didn't post to you. I didn't want to skip any steps. I don' think that your response had levity, but more so rudeness and sarcasm. I simply wanted to make sure that you saw my first response and that it answered those first questions. THEN I would have moved on to the next set of questions. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 03:03 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss wrote: > > I've tried twice to reply to your first response. I am not sure why it is not posting. > I am going to try again. > > >First. LDAP (authentication) is only 1/2 of the big picture. You will > >still need configure authorization on the repo's themselves. > I have done this already. I have a separate configuration file for each repository. That looks like this: > > dav svn > SVNPath /disk01/home/RepositoryName > AuthType Basic > AuthBasicProvider ldap-FCGNET ldap-VIET > AuthzLDAPAuthoritative off > AuthName "CSC Subversion Repository" > Require valid-user > Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com > Require ldap-user pmoss > > > I have defined the LDAP Aliases in the very first repository configuration file; as such: > > AuthLDAPBindDN FCGNET\svnuser > AuthLDAPBindPassword x > AuthLDAPURL > ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) > > > AuthLDAPBindDN "CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com" > AuthLDAPBindPassword xxx > AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) > > > >Second, Its hard to help troubleshoot when you don't provide useful > >information or a direct question. Was there something you needed help > >with? I didnt see any questions other than "Can someone lend a hand in > >figuring out what I have done wrong, or need to do?" > > I think that I have 2 separate issues: > 1. I need to lock down access so that only the users in the associated AD group have access to the repository. > 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. > > Right now; > All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. > When I remove the "Require valid-user" line then no one, including the members of the Active Directory group, can access the repository. > > > PATI MOSS > System Engineer Sr. Professional > CSC > > > From: opensrcguru > To: users@subversion.apache.org > Date: 11/09/2010 02:12 PM > Subject: Re: locking down access to a repository > > > > On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss wrote: > > I appreciate all of the help that I am receiving. I have still not been successful in resolving this. > > I removed the line: > Require valid-user > > I have tried using: > ?samAccountName?sub?(objectClass=*) > Instead of: > ?samAccountName?sub?(objectCategory=person) > > That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. > I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. > > > PATI MOSS > System Engineer Sr. Professional > CSC > > From: kmra...@rockwellcollins.com > To: Patricia A Moss/USA/c...@csc > Cc: users@subversion.apache.org > Date: 11/09/2010 11:13 AM > Subject: Re: locking down access to a repository > > > > > Patricia A Moss wrote on 11/09/2010 09:41:42 AM: > > > From: Patricia A Moss > > To: kmra...@rockwellcollins.com > > Cc: users@subversion.apache.org > > Date: 11/09/2010 09:41 AM > > Subject: Re: locking down access to a repository > > > > > > >I don't think you want the "Require valid-user" line, since by > > default it uses > > >ANY of the Require lines as matches. (And in your case valid-user > > matches all > > >users so it doesn't care you are also specifying a group and an user.) > > > > But if I remove that line then no one can access the repository. > > I think you also may need to be less specific with your ldapurl (remove the >
Re: locking down access to a repository
Not really sure that this was necessary either. Unbelievable. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru To: Patricia A Moss/USA/c...@csc Date: 11/09/2010 03:37 PM Subject: Re: locking down access to a repository I highly recommend you read this and perhaps re-post. http://www.catb.org/~esr/faqs/smart-questions.html