This is a simplified Apache configuration that is intended to provide access to
Subversion, for users that are members of either of two different ldap groups
in two different domains: SVN_Group1 in Domain1 or SVN_Group2 in Domain2. It is
not working currently.
<AuthnProviderAlias ldap ldap-Domain1>
AuthLDAPBindDN
"CN=ServiceAccount1,OU=ServiceAccounts,OU=AD,OU=US,DC=domain1,DC=net"
AuthLDAPBindPassword password1
AuthLDAPURL
"ldap://domain1:3268/DC=domain1,DC=net?sAMAccountName?sub?(objectClass=*)"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-Domain2>
AuthLDAPBindDN "CN=ServiceAccount2,OU=Service Accounts,DC=domain2,DC=net"
AuthLDAPBindPassword password2
AuthLDAPURL
"ldap://domain2.net:3268/DC=internal,DC=domain2,DC=net?sAMAccountName?sub?(objectClass=*)"
</AuthnProviderAlias>
<Location "/svn">
DAV svn
SVNParentPath D:/Svn/Repository/Data
AuthType Basic
AuthName "Subversion Server"
AuthBasicProvider ldap-Domain1 ldap-Domain2
AuthzLDAPAuthoritative off
require ldap-group CN=SVN_Group1,OU=Groups,OU=AD,OU=US,DC=domain1,DC=net
require ldap-group
CN=SVN_Group2,OU=Groups,OU=MA,OU=AMER,DC=domain2,DC=net
</Location>
My Apache error log reports the following errors when I try to access
Subversion:
[Fri Jun 30 14:54:55 2017] [warn] [client <my-ip-address>] [5668] auth_ldap
authenticate: user <my-username> authentication failed; URI
/svn/repository/tools [User not found][No Such Object]
[Fri Jun 30 14:54:56 2017] [error] [client <my-ip-address>] access to
/svn/repository/tools failed, reason: require directives present and no
Authoritative handler.
I am running Apache 2.2.
The Apache modules that are loaded include:
auth_basic_module
authn_alias_module
authn_default_module
authz_default_module
authnz_ldap_module
ldap_module
A configuration which referenced only SVN_Group1 in Domain1 has been working
for years.
SVN_Group2 is a universal group.
SVN_Group1 is a domain-local group.
If I remove the "require ldap-group" directives and add "require valid-user"
instead, access is granted to users who are not members of either group, which
is unacceptable. However that demonstrates that my LDAPBindDN, LDAPBindPassword
and LDAPURL entries are correct.
I've tried using the "Satisfy any" directive, but that also grants access to
users who are not members of either group.
I've looked at many other discussions of similar configurations, and tried many
suggestions I found there, but they have not helped. However I have not found
any samples that use multiple ldap-groups located in different domains.
Can anyone propose a solution to this problem?
Sent from Outlook<http://aka.ms/weboutlook>
