Re: locking down access to a repository
Not really sure that this was necessary either. Unbelievable. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: Patricia A Moss/USA/c...@csc Date: 11/09/2010 03:37 PM Subject: Re: locking down access to a repository I highly recommend you read this and perhaps re-post. http://www.catb.org/~esr/faqs/smart-questions.html
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss pmo...@csc.com wrote: I think this is the correct mailing list for this question. I am LDAP authenticating against 2 domain controllers; in 2 different locations. I thought that I was locking down each repository to allow only users, included in a specific AD group, to have read/write access to a repository. I say supposedly because apparently the second part is not working. Right now, anyone can access any repository. Can someone lend a hand in figuring out what I have done wrong, or need to do? Here is what I have: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I thought the Require ldap-group line locked access down to allow only the users in the group access to the repo. That is not the case though. Everyone can access any repository; as long as they have an FCGNET account. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. I tried removing the Require valid-user line; but that then doesn't allow any access. Have any clues what I am doing wrong? Thanks. PATI MOSS System Engineer Sr. Professional CSC First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. These may be of assistance in configuring authorization (depending on your needs): http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? kind regards, OSG
Re: locking down access to a repository
Stefan Sperling s...@elego.de wrote on 11/09/2010 08:34:37 AM: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) Kevin R.
Re: locking down access to a repository
On Tue, Nov 09, 2010 at 08:12:44AM -0500, Patricia A Moss wrote: I think this is the correct mailing list for this question. I am LDAP authenticating against 2 domain controllers; in 2 different locations. I thought that I was locking down each repository to allow only users, included in a specific AD group, to have read/write access to a repository. I say supposedly because apparently the second part is not working. Right now, anyone can access any repository. Can someone lend a hand in figuring out what I have done wrong, or need to do? Here is what I have: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I thought the Require ldap-group line locked access down to allow only the users in the group access to the repo. That is not the case though. Everyone can access any repository; as long as they have an FCGNET account. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. I tried removing the Require valid-user line; but that then doesn't allow any access. Have any clues what I am doing wrong? Thanks. I don't know a lot about apache auth configuration. But I think you want to configure LDAP auth separately for each repository location block. Within each block, use an LDAP URL that matches the specific group which should have access to this repository. Unfortunately, I cannot provide any example configuration files. But I've seen a configuration that worked as described above within a large enterprise just a couple weeks ago. So I know that it should work, given the right configuration. Hope this helps, and good luck, Stefan
Re: locking down access to a repository
I don't know if I replied correctly the first time: First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. I have done that. Each repo have it's own configuration file. That is this portion: Location /repository_name dav svn SVNPath /disk01/home/repository_name AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=AD Goup Name,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? 1. I need to be able to lock down each repository to allow only the users, within the associated AD group, to have access to the repository. 2. At the same time I need to be able to allow my, single, user account access to the repositories, without having to be added to every AD group. I have not done that successfully. Right now all users can access all repositories, What I have tried so far: I thought the Require ldap-group line locked access down to allow only the users in the group access to the repo. That is not the case. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. So, I added the lines to the very first repository configuration file. I tried removing the Require valid-user line; but that then doesn't allow any access at all. PATI MOSS System Engineer Sr. Professional CSC 575 E. Swedesford Road, Suite 300, Wayne, PA 19464 GIS | p: 610.989.7105 | f: 610.989.7100 | pmo...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: opensrcguru opensrcg...@gmail.com To: Patricia A Moss/USA/c...@csc Date: 11/09/2010 09:22 AM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss pmo...@csc.com wrote: I think this is the correct mailing list for this question. I am LDAP authenticating against 2 domain controllers; in 2 different locations. I thought that I was locking down each repository to allow only users, included in a specific AD group, to have read/write access to a repository. I say supposedly because apparently the second part is not working. Right now, anyone can access any repository. Can someone lend a hand in figuring out what I have done wrong, or need to do? Here is what I have: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I thought the Require ldap-group line locked access down to allow only the users in the group access to the repo. That is not the case though. Everyone can access any repository; as long as they have an FCGNET account. I tried adding the AuthnProviderAlias lines to each config file, but I get an error because it only needs to be defined once. I tried removing the Require valid-user line; but that then doesn't allow any access. Have any clues what I am doing wrong? Thanks. PATI MOSS System Engineer Sr. Professional CSC First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. These may be of assistance in configuring authorization (depending on your needs): http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz Second, Its hard to help troubleshoot when you don't
RE: locking down access to a repository
But if I remove that line then no one can access the repository Most likely because something else in the configuration isn't quite right... I would suggest setting things up and testing with one LDAP server at a time to verify the configuration of each before trying to combine them. Location /svn AuthName Subversion Server AuthType Basic AuthBasicAuthoritative On AuthBasicProvider ldap # If ldap checks are used with non-ldap (valid-user), set this to off AuthzLDAPAuthoritative off AuthLDAPURL ldaps://gc.company.com:3269/DC=domain,DC=comp,DC=company,DC=com?sAMAccountName?sub?(objectCategory=user) AuthLDAPBindDN CN=ADMIN,OU=Users,DC=domain,DC=comp,DC=company,DC=com AuthLDAPBindPassword pa$$w0rd /Location Location /svn/bu/repo1 DAV svn SVNPath /Repositories/bu/repo1 SVNPathAuthz off #1 The following users/groups will have read-write permission Require ldap-group CN=REPO1_USERS,OU=Groups,DC=domain,DC=comp,DC=company,DC=com Require ldap-group CN=Admins,OU=Groups,DC=domain,DC=comp,DC=company,DC=com Require ldap-user someid Limit GET PROPFIND OPTIONS REPORT #2 For any read-only operation, allow these additional users/groups Require valid-user /Limit /Location I know this works. After the #1 line, add Require directives for all the groups/users that should read-write access. After the #2 line, add any Require directives for any groups/users that should also have read-only access. In this example, Require valid-user is used to mean that any authenticated user has read-only access to the repository. The first Location block must come first; repeat the second Location block as many times as necessary for each repository. From: Patricia A Moss [mailto:pmo...@csc.com] Sent: Tuesday, November 09, 2010 9:42 AM To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 10:38 AM Subject:Re: locking down access to a repository Stefan Sperling s...@elego.de wrote on 11/09/2010 08:34:37 AM: I've configured my ldap aliases as follows: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub? (objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC =vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa mAccountName?sub?(objectCategory=person) /AuthnProviderAlias Then in each, specific repositorry configuration file, I have the following: Location /FDCertifications dav svn SVNPath /disk01/home/FDCertifications AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=PRJ FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) Kevin R. -Message Disclaimer- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to conn...@principal.com and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act (E-Sign) unless a specific statement to the contrary is included in this message. While this communication may be used to promote or market a transaction
Re: locking down access to a repository
I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName; AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R.
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository -- Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap:// ad.example.com/ou=group,dc=example,dc=com?sAMAccountName AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: * ** http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication *http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: * ** http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 *http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know how their systems are configured). If there is such a wonderful beasty, I'd be mighty interested in meeting them. /OSG
Re: locking down access to a repository
I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again. First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: Location /RepositoryName dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I have defined the LDAP Aliases in the very first repository configuration file; as such: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the Require valid-user line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap:// ad.example.com/ou=group,dc=example,dc=com?sAMAccountName AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss pmo...@csc.com wrote: I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again. First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: Location /RepositoryName dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I have defined the LDAP Aliases in the very first repository configuration file; as such: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the Require valid-user line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName; AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I
Re: locking down access to a repository
I was trying to go back and answer your very first response and then go from there. My first reply didn't post to you. I didn't want to skip any steps. I don' think that your response had levity, but more so rudeness and sarcasm. I simply wanted to make sure that you saw my first response and that it answered those first questions. THEN I would have moved on to the next set of questions. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 03:03 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 1:40 PM, Patricia A Moss pmo...@csc.com wrote: I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again. First. LDAP (authentication) is only 1/2 of the big picture. You will still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: Location /RepositoryName dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName CSC Subversion Repository Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss /Location I have defined the LDAP Aliases in the very first repository configuration file; as such: AuthnProviderAlias ldap ldap-FCGNET AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword x AuthLDAPURL ldap://xx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias AuthnProviderAlias ldap ldap-VIET AuthLDAPBindDN CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com AuthLDAPBindPassword xxx AuthLDAPURL ldap://x.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) /AuthnProviderAlias Second, Its hard to help troubleshoot when you don't provide useful information or a direct question. Was there something you needed help with? I didnt see any questions other than Can someone lend a hand in figuring out what I have done wrong, or need to do? I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the Require valid-user line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru opensrcg...@gmail.com To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss pmo...@csc.com wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss pmo...@csc.com wrote on 11/09/2010 09:41:42 AM: From: Patricia A Moss pmo...@csc.com To: kmra...@rockwellcollins.com Cc: users@subversion.apache.org Date: 11/09/2010 09:41 AM Subject: Re: locking down access to a repository I don't think you want the Require valid-user line, since by default it uses ANY of the Require lines as matches. (And in your case valid-user matches all users so it doesn't care you are also specifying a group and an user.) But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName; AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im
Re: locking down access to a repository
opensrcguru wrote on Tue, Nov 09, 2010 at 14:03:32 -0600: I figured it out. You can't (or refuse) to read. Quit your job and apply at wal-mart as a greeter. This tone is completely unnecessary, Terry.
Re: locking down access to a repository
On 11/09/2010 06:44 PM, Daniel Shahaf wrote: opensrcguru wrote on Tue, Nov 09, 2010 at 14:03:32 -0600: I figured it out. You can't (or refuse) to read. Quit your job and apply at wal-mart as a greeter. This tone is completely unnecessary, Terry. Agreed. Generally, my professionalism far exceeds that of any other, but today the stresses of life got the best of me. My apologies go to Ms. Moss and the list.