Я пытаюсь запустить SVN с Apache 2.4 и Active Directory.Я не хочу использовать AuthzSVNAccessFile, я просто хочу использовать AD и mod_authnz_ldap.
Я нашел следующую конфигурацию на нескольких веб-сайтах:
<Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap
AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
<Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Read access
<RequireAny>
Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</RequireAny>
</Limit>
<LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Write access
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</LimitExcept>
</RequireAll>
DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on
СейчасУ меня следующая ситуация:
- Я могу войти в систему с пользователем RW.
- Я не могу войти в систему с пользователем RO.
- Если я комментируюRW Part, я также могу войти в систему с пользователем RO.
Logfile сообщает мне следующее:
[Mon May 28 14:47:34.419982 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied (no authenticated user yet)
[Mon May 28 14:47:34.420067 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420140 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420219 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(728): [client **.**.**.**:62762] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)
[Mon May 28 14:47:34.420294 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied
[Mon May 28 14:47:34.420384 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied
[Mon May 28 14:47:34.420464 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied
[Mon May 28 14:47:34.420537 2018] [authz_core:error] [pid 32245] [client **.**.**.**:62762] AH01631: user ROuser: authorization failure for "/puppet/puppet2/environments":
[Mon May 28 14:47:34.420633 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require all granted: granted
[Mon May 28 14:47:34.420713 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: granted
Итак, аутентификация AD работает, Limit работаетхорошая работа (по крайней мере, для пользователя RW), но может быть что-то не так с директивой Require.