Re: Apache httpd 2.4 + Subversion 1.9.5 + LDAP combination does not work on CentOS 7.x

Tue, 18 Jul 2017 03:44:18 -0700 

On Tue, Jul 18, 2017 at 12:33:32PM +0200, Branko Čibej wrote:
> On 18.07.2017 10:20, Ravi Roy wrote:
> >
> >
> > On Mon, Jul 17, 2017 at 8:03 PM, Ravi Roy <ravi.a...@gmail.com
> > <mailto:ravi.a...@gmail.com>> wrote:
> >
> >
> >         You should remove these lines:
> >
> >             Satisfy any
> >             Order allow,deny
> >             Allow from all
> >             AuthUserFile /dev/null
> >
> >
> >         then add
> >
> >             Satisfy all
> >
> >
> >         I also suggest you add the HEAD method to the LimitExcept
> >         directive.
> >
> >
> >
> > As this does not work and bypassing  AuthzSVNAccessFile and gives repo
> > access to all valid users which exsits in LDAP directory. Does
> > somebody know why it is causing this? Thanks
> > Ravi.
> 
> 
> I have a practically identical configuration (with slightly more complex
> access rules) and it does work for me. I suggest you turn on verbose
> logging in httpd and check the logs to see what's happening.
> 
> My config looks like this:

I suspect the use of mod_auth_compat is Roy's problem here.
His config is using a 2.2-style authorization config.

Not upgrading authorization configs to the new 2.4 syntax
can cause surpises.
Read the fine manual at http://httpd.apache.org/docs/2.4/upgrading.html
and live happily ever after :)

> 
>     RedirectMatch permanent ^(/repos)$ $1/
>     <Location /repos/>
>         AuthType basic
>         AuthName "Subversion"
>         AuthBasicProvider ldap
> 
>         AuthLDAPUrl "ldaps://ldap.example.com/ou=people,dc=example,dc=com?uid"
>         AuthLDAPGroupAttribute memberUid
>         AuthLDAPGroupAttributeIsDN off
>         AuthLDAPBindDN cn=admin,dc=example,dc=com
>         AuthLDAPBindPassword "example.com"
> 
>         <RequireAll>
>             Require valid-user
>             <Limit HEAD GET OPTIONS PROPFIND REPORT>
>                 <RequireAny>
>                     # Read access
>                     Require ldap-group cn=dev,ou=group,dc=example,dc=com
>                     Require ldap-group 
> cn=dev.readonly,ou=group,dc=example,dc=com
>                 </RequireAny>
>             </Limit>
>             <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
>                 <RequireAny>
>                     # Write access
>                     Require ldap-group cn=dev,ou=group,dc=example,dc=com
>                 </RequireAny>                 
>             </LimitExcept>
>         </RequireAll>
> 
>         DAV svn
>         SVNParentPath /srv/repos
>         SVNListParentPath on
>         SVNPathAuthz short_circuit
>         AuthzSVNAccessFile file:///srv/repos/admin/access.conf
>     </Location>
> 
> 
> 
> -- Brane

Reply via email to