Find the answer to your Linux question:
Results 1 to 2 of 2
Hi All, First off, here's my conf: Code: <IfModule mod_authz_ldap.c> <VirtualHost *:80> ServerName svn.mydomain.com ServerAlias svn svn.hq subversion SetOutputFilter DEFLATE DocumentRoot /var/www/svn/ ErrorLog logs/error_log <Location "/svn"> #AuthBasicProvider ldap AuthType Basic ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Location
    127.0.0.1
    Posts
    7

    apache + AD and require ldap-group


    Hi All,

    First off, here's my conf:

    Code:
    <IfModule mod_authz_ldap.c>
    <VirtualHost *:80>
        ServerName svn.mydomain.com
        ServerAlias svn svn.hq subversion
    
        SetOutputFilter DEFLATE
    
        DocumentRoot /var/www/svn/
        ErrorLog logs/error_log
    
        <Location "/svn">
            #AuthBasicProvider ldap
            AuthType Basic
            AuthzLDAPAuthoritative off
            AuthName "Domain User Required:"
            AuthLDAPURL "ldap://dc.mydomain.com:389/OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"
            AuthLDAPBindDN "CN=ldap,OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com"
            AuthLDAPBindPassword gljaslkjasldkjasdlkj
    
            require valid-user
    
    <LimitExcept GET POST>
             require ldap-group CN=HW SVN,DC=dc,DC=mydomain,DC=com
            </LimitExcept>
    </Location>
    </VirtualHost>
    </IfModule>
    As far as AD is concerned, I have a the user "ldap" located under IT-Accounts > Special Accounts.

    I also have another OU named IT-Groups, which has another OU named Special Security Groups.

    Under Special Security Groups, I have CN HW SVN. Under HW SVN I have the users listed.

    The users are partof IT-Accounts, so CN=USER, etc. My goal is to provide HTTP access to only CN=FW SVN, CN=HW SVN, etc.

    However, the problem is that when I setup ldap-group and enter CN=HW SVN, any user that isn't part of this group is still able to log-in. Despite the fact that that the user isn't part of that group.

    Suggestions?

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    what if you change the line in your config to this
    Code:
    AuthLDAPURL "ldap://dc.mydomain.com:389/OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"
    that way the base starts with Special accounts, anything above that will be restricted.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •