Buchan, That worked for me. Thanks. I have another question for the mailing list.
Can I place the AuthLDAPURL, AuthzLDAPAuthoritative, AuthLDAPGroupAttributeIsDN and AuthLDAPGroupAttribute outside of <Location> and <Directory> and inside of <VirtualHost> and place just Require and Satisfy within the <Location> and <Directory> tags? I am asking, because all of the <Location> an <Directory> entries are going to be using the same LDAP server and will be accessed through membership in LDAP groups. > AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub? > (objectclass=posixAccount)" > Satisfy All > AuthzLDAPAuthoritative on > AuthLDAPGroupAttributeIsDN off > AuthLDAPGroupAttribute memberUid > Require ldap-group cn=developers,ou=Group,..... Thank you, Loren On Jun 3, 2010, at 02:20 AM, Buchan Milne wrote: > On Wednesday, 2 June 2010 15:56:15 Loren Cahlander wrote: >> What does Apache2.x use to authenticate a user that belongs to a group? My >> initial requirement for groupOfUniqueNames was that of >> http://exist-db.org/ldap-security.html#N10149 , but since I am a >> contributor to the eXist database project, then I can change the code to >> meet a common specification. My priority is the get Subversion to get the >> authenticated user of a group. >> >> The following works with SVN to authenticate agains a single user: >> >> <Location /svn> >> DAV svn >> SVNParentPath /var/local/svn/foo.exist-db.org >> SVNAutoversioning on >> SVNListParentPath on >> AuthBasicProvider ldap >> AuthUserFile /dev/null >> AuthType Basic >> AuthName "Subversion Authentication" >> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" >> AuthLDAPBindPassword "1234" >> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" >> AuthLDAPCompareDNOnServer off >> Require ldap-user lcahlander >> AuthzLDAPAuthoritative on >> </Location> >> >> >> When I would like for it to be: >> >> <Location /svn> >> DAV svn >> SVNParentPath /var/local/svn/foo.exist-db.org >> SVNAutoversioning on >> SVNListParentPath on >> AuthBasicProvider ldap >> AuthUserFile /dev/null >> AuthType Basic >> AuthName "Subversion Authentication" >> # The distinguished name to bind to the directory server >> AuthLDAPBindDN "cn=admin,dc=exist-db,dc=org" >> >> # The password for the user above >> AuthLDAPBindPassword "1234" >> AuthLDAPUrl "ldap://127.0.0.1:389/ou=Users,dc=exist-db,dc=org" >> AuthLDAPGroupAttribute memberUid >> AuthLDAPGroupAttributeIsDN off >> AuthLDAPCompareDNOnServer off >> >> AuthzLDAPAuthoritative on >> AuthBasicAuthoritative on >> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE >> PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require ldap-group >> cn=dba,ou=Groups,dc=exist-db,dc=org Require ldap-group >> cn=svn-update,ou=Groups,dc=exist-db,dc=org Satisfy any >> </Limit> >> <Limit GET HEAD OPTIONS CONNECT POST PROPFIND> >> Require ldap-group >> cn=svn-readonly,ou=Groups,dc=exist-db,dc=org Satisfy any >> </Limit> >> </Location> > > > Something like this should work, I have something like this: > > AuthLDAPURL "ldaps://ldap-slaves......./ou=People,...?uid?sub? > (objectclass=posixAccount)" > Satisfy All > AuthzLDAPAuthoritative on > AuthLDAPGroupAttributeIsDN off > AuthLDAPGroupAttribute memberUid > Require ldap-group cn=developers,ou=Group,..... > > Although the requirement to limiting operations via svn was not that great, > and I ran out of time to test that, so I haven't got these inside Limit > statements at present ... > > I suggest starting out with a memberUid-based non-Limit config first, and if > that works, add the Limits parts in. > > Regards, > Buchan