Subversion的Active Directory身份验证 - 无法正常工作

时间:2018-05-28 13:34:14

标签: svn active-directory apache2.4

我正在尝试使用Apache 2.4和Active Directory运行我的SVN。 我不想使用AuthzSVNAccessFile,我只想使用AD和mod_authnz_ldap。

我在几个网站上找到了以下配置:

<Location /puppet/>
    AuthType basic
    AuthName "Subversion Puppet"
    AuthBasicProvider ldap

    AuthLDAPBindDN ldapbind@mydomain.de
    AuthLDAPBindPassword secretpassword
    AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
    AuthLDAPGroupAttributeIsDN off
    <RequireAll>
        <Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
            # Read access
         <RequireAny>
           Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
           Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
         </RequireAny>
        </Limit>
        <LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
           # Write access
           Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
        </LimitExcept>
    </RequireAll>

    DAV svn
    SVNParentPath /srv/svn/puppet
    SVNListParentPath on

现在我有以下情况:

  1. 我可以使用RW用户登录。
  2. 我无法使用RO用户登录。
  3. 如果我评论RW部分,我也可以使用RO用户登录。

    4. Logfile告诉我:

    [Mon May 28 14:47:34.419982 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied (no authenticated user yet)
[Mon May 28 14:47:34.420067 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420140 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420219 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(728): [client **.**.**.**:62762] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)
[Mon May 28 14:47:34.420294 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied
[Mon May 28 14:47:34.420384 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied
[Mon May 28 14:47:34.420464 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied
[Mon May 28 14:47:34.420537 2018] [authz_core:error] [pid 32245] [client **.**.**.**:62762] AH01631: user ROuser: authorization failure for "/puppet/puppet2/environments":
[Mon May 28 14:47:34.420633 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require all granted: granted
[Mon May 28 14:47:34.420713 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: granted

    因此,AD Authentification正在运行,Limit正在做好工作(至少对于RW用户而言),但是Require指令可能有问题。

1 个答案:

答案 0 :(得分:0)

由于没有人回答,我猜测没有人对答案感兴趣。 我还是要回答它:

上面的块不是READ块,而是Write Block。 下面的块不是WRITE块,而是READ块。

所以我已经将RO用户的Require ldap ...从上部块移动到下部块。

这是负责限制READ方法的块。

<Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap

AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
    <Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
        # Write access
     <RequireAny>
       Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
     </RequireAny>
    </Limit>
    <LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
       # Read access
       Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
       Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
    </LimitExcept>
</RequireAll>

DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on
相关问题
最新问题