【发布时间】:2018-11-07 03:00:01
【问题描述】:
我正在尝试让我的 SVN 与 Apache 2.4 和 Active Directory 一起运行。 我不想使用 AuthzSVNAccessFile,我只想使用 AD 和 mod_authnz_ldap。
我在几个网站上找到了以下配置:
<Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap
AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
<Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Read access
<RequireAny>
Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</RequireAny>
</Limit>
<LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Write access
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</LimitExcept>
</RequireAll>
DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on
现在我有以下情况:
- 我可以使用 RW 用户登录。
- 我无法使用 RO 用户登录。
- 如果我评论 RW 部分,我也可以使用 RO 用户登录。
日志文件告诉我:
[Mon May 28 14:47:34.419982 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied (no authenticated user yet)
[Mon May 28 14:47:34.420067 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420140 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420219 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(728): [client **.**.**.**:62762] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)
[Mon May 28 14:47:34.420294 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied
[Mon May 28 14:47:34.420384 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied
[Mon May 28 14:47:34.420464 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied
[Mon May 28 14:47:34.420537 2018] [authz_core:error] [pid 32245] [client **.**.**.**:62762] AH01631: user ROuser: authorization failure for "/puppet/puppet2/environments":
[Mon May 28 14:47:34.420633 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require all granted: granted
[Mon May 28 14:47:34.420713 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: granted
所以 AD Authentification 正在工作,Limit 做得很好(至少对于 RW 用户而言),但 Require 指令可能有问题。
【问题讨论】:
标签: svn active-directory apache2.4