> >First. LDAP (authentication) is only 1/2 of the big picture. You will
> >still need configure authorization on the repo's themselves.
> I have done this already.  I have a separate configuration file for each 
> repository.  That looks like this:
> <Location /RepositoryName>
> dav svn
> SVNPath /disk01/home/RepositoryName
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
> I have defined the LDAP Aliases in the very first repository configuration 
> file; as such:
> <AuthnProviderAlias ldap ldap-FCGNET>
>         AuthLDAPBindDN FCGNET\svnuser
>         AuthLDAPBindPassword xxxxxxxxx
>         AuthLDAPURL
> ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
>         AuthLDAPBindDN "CN=fcgvuser,OU=Service 
> Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com"
>         AuthLDAPBindPassword xxxxxxxxxxx
>         AuthLDAPURL 
> ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> >Second, Its hard to help troubleshoot when you don't provide useful
> >information or a direct question. Was there  something you needed help
> >with? I didnt see any questions other than "Can someone lend a hand in
> >figuring out what I have done wrong, or need to do?"
> I think that I have 2 separate issues:
> 1. I need to lock down access so that only the users in the associated AD 
> group have access to the repository.
> 2. I need to be able to allow just my user account access to the 
> repositories, without having to be added to all of the AD groups.
> Right now;
> All, valid, users can access all repositories, whether they are a member of 
> the Active Directory group or not.
> When I remove the "Require valid-user" line then no one, including the 
> members of the Active Directory group, can access the repository.
> I appreciate all of the help that I am receiving. I have still not been 
> successful in resolving this.
> I removed the line:
> Require valid-user
> I have tried using:
> ?samAccountName?sub?(objectClass=*)
> Instead of:
> ?samAccountName?sub?(objectCategory=person)
> That is the only difference I see in my config files and the examples in the 
> google hits. Yet I am still not successful in accessing the repository.
> I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I 
> am really confused as to how to proceed.
> >
> > >I don't think you want the "Require valid-user" line, since by
> > default it uses
> > >ANY of the Require lines as matches.  (And in your case valid-user
> > matches all
> > >users so it doesn't care you are also specifying a group and an user.)
> >
> > But if I remove that line then no one can access the repository.
> I think you also may need to be less specific with your ldapurl (remove the
> objectclass or use * ??):
> (Assuming active directory, this is like what I have used in the past)
>  AuthLDAPURL "ldap://ad.example.com/ou=group,dc=example,dc=com?sAMAccountName";
>  AuthLDAPGroupAttribute member
>  Require ldap-group ...
> It has been quite awhile since I used ldap groups instead of authz files...
> This first google hit has some examples:
> http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
> As does this one:
> http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36
> Although this is probably better suited for the apache/mod_ldap list, I'll 
> attempt to help.
> do your domain controllers support unencrypted binds (very dangerous)?
> can you supply any apache/AD debug logs?
> can you supply versions of apache/mod_ldap?
> can you describe anything that is knows to be working?
> ...this should be pretty straight forward to troubleshoot if you give us some 
> useful information to work with.
> I speak without a full understanding of the lists user base, but I bet none 
> of them can or ever will be able to read the minds of the end user with a 
> problem (let alone know how their systems are configured). If there is such a 
> wonderful beasty, I'd be mighty interested in meeting them.
> /OSG

