Posts tagged ldap

在活动目录中如何实现组的嵌套?

Apr 16th

Posted by admin in [...]

No comments

组帐户
, , ,

Using LDAP for Apache Authentication

Apr 14th

Posted by admin in Uncategorized

No comments

This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux (supplied by default with most Linux distros) and an LDAP server. LDAP can be used to authenticate user accounts on Linux and other computer systems as well as web site logins.
Also see YoLinux TUTORIAL: LDAP system authentication.

Try this out with your Apache server authenticating to our open LDAP server using our Three Stooges example.

, ,

Authorization Options – AuthzSVNAccessFile for Subversion with Apache and LDAP

Apr 9th

Posted by admin in Uncategorized

No comments

At this point, you’ve configured authentication, but not authorization. Apache is able to challenge clients and confirm identities, but it has not been told how to allow or restrict access to the clients bearing those identities. This section describes two strategies for controlling access to your repositories.

Blanket Access Control

The simplest form of access control is to authorize certain users for either read-only access to a repository, or read/write access to a repository.

You can restrict access on all repository operations by adding the Require valid-user directive to your block. Using our previous example, this would mean that only clients that claimed to be either harry or sally, and provided the correct password for their respective username, would be allowed to do anything with the Subversion repository:


  DAV svn
  SVNParentPath /usr/local/svn

  # how to authenticate a user
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /path/to/users/file

  # only authenticated users may access the repository
  Require valid-user

Sometimes you don’t need to run such a tight ship. For example, Subversion’s own source code repository at http://svn.collab.net/repos/svn allows anyone in the world to perform read-only repository tasks (like checking out working copies and browsing the repository with a web browser), but restricts all write operations to authenticated users. To do this type of selective restriction, you can use the Limit and LimitExcept configuration directives. Like the Location directive, these blocks have starting and ending tags, and you would nest them inside your block.

The parameters present on the Limit and LimitExcept directives are HTTP request types that are affected by that block. For example, if you wanted to disallow all access to your repository except the currently supported read-only operations, you would use the LimitExcept directive, passing the GET, PROPFIND, OPTIONS, and REPORT request type parameters. Then the previously mentioned Require valid-user directive would be placed inside the block instead of just inside the block.


  DAV svn
  SVNParentPath /usr/local/svn

  # how to authenticate a user
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /path/to/users/file

  # For any operations other than these, require an authenticated user.
  
    Require valid-user

These are only a few simple examples. For more in-depth information about Apache access control and the Require directive, take a look at the Security section of the Apache documentation’s tutorials collection at http://httpd.apache.org/docs-2.0/misc/tutorials.html.

Per-Directory Access Control

It’s possible to set up finer-grained permissions using a second Apache httpd module, mod_authz_svn. This module grabs the various opaque URLs passing from client to server, asks mod_dav_svn to decode them, and then possibly vetoes requests based on access policies defined in a configuration file.

If you’ve built Subversion from source code, mod_authz_svn is automatically built and installed alongside mod_dav_svn. Many binary distributions install it automatically as well. To verify that it’s installed correctly, make sure it comes right after mod_dav_svn‘s LoadModule directive in httpd.conf:

LoadModule dav_module         modules/mod_dav.so
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

To activate this module, you need to configure your Location block to use the AuthzSVNAccessFile directive, which specifies a file containing the permissions policy for paths within your repositories. (In a moment, we’ll discuss the format of that file.)

Apache is flexible, so you have the option to configure your block in one of three general patterns. To begin, choose one of these basic configuration patterns. (The examples below are very simple; look at Apache’s own documentation for much more detail on Apache authentication and authorization options.)

The simplest block is to allow open access to everyone. In this scenario, Apache never sends authentication challenges, so all users are treated as “anonymous”.

Example

, ,

Apache and Subversion authentication with Microsoft Active Directory

Apr 8th

Posted by admin in Uncategorized

No comments

Last updated on 2009-02-16@22:43. The company I work for had finally realized the benefits of a decent source code versioning system so after a short evaluation they settled on Subversion. To make user management easier they also wanted to use Microsoft Active Directory, so I set off on a quest to make Apache talk to our Active Directory 2003 server for authentication. Before I explain to you how I set this all up on Debian Etch I have to get something off my chest first. Sensitive people may want to skip the next paragraph.

Microsoft Active Directory is a bit-rotten crock that should have never seen the light of day. After two full days of waving dead chickens at it, trying to make any sense of it’s irrational behavior I would love nothing more than to pick it up and throw it off the roof of our building, BofH style, aiming it at the PHB that bought it in the first place. Or it’s programmer. Whomever passes by first. It’s API only vaguely resembles LDAP after at least three bottles of whiskey or one pan galactic gargle blaster and squinting really, really hard. Fortunately our management has seen the light of day after this little misadventure and in a few months we’re migrating to Open-Xchange.

Right. That’s settled. Back to making it work because we need Subversion before we have migrated to Open-Xchange. Let’s start off by installing a bunch of software that we need: apache2, subversion and libapache2-svn. Make sure that the correct modules are enabled by symlinking then from /etc/apache2/mod-enabled to /etc/apache2/mods-available. Here are the relevant files:

  1. $ ls -al /etc/apache2/mods-enabled
  2. alias.load -> ../mods-available/alias.load
  3. auth_basic.load -> ../mods-available/auth_basic.load
  4. authnz_ldap.load -> /etc/apache2/mods-available/authnz_ldap.load
  5. authz_default.load -> ../mods-available/authz_default.load
  6. authz_user.load -> ../mods-available/authz_user.load
  7. dav.load -> ../mods-available/dav.load
  8. dav_svn.conf -> ../mods-available/dav_svn.conf
  9. dav_svn.load -> ../mods-available/dav_svn.load
  10. ldap.load -> ../mods-available/ldap.load

Apache2 on Debian Etch ships with mod_authnz_ldap instead of mod_auth_ldap, so if most of the online tutorials for LDAP authentication did not work for you, that’s why. mod_authnz_ldap works just a little bit different. I am going to implement things in such a way that makes it easy to test your configuration in between. First we get Active Directory working and then we look at Subversion.

Active Directory authentication

Start off by creating a directory where later on you will host Subversion repositories and create a basic Apache configuration for it. For ease of testing make sure that you can view directory indexes. I chose to put my repositories under /var/lib/svn and I will use a virtual server for it. Create a new configuration file /etc/apache2/sites-available/svn and symlink it from /etc/apache2/sites-enabled/.

Update: You should not point your DocumentRoot to the directory that contains all your repositories. If you do that then Apache will not know if it should handle those himself of if he should hand it over to the Subversion module. That is why in these examples the DocumentRoot to /var/lib/svn/htdocs.

  1. NameVirtualHost *
  2. <VirtualHost *>
  3. , ,

Subversion with Apache and LDAP: Updated

Apr 7th

Posted by admin in Uncategorized

No comments

My previous blog entry discussing Subversion, Apache and LDAP is nearing two years old. It was written when Apache 2.0.x was still the mainstream and when Apache 2.2.x was released, changes in the LDAP modules and their respective configuration directives has left my previous entry very confusing for those wanting to use Apache 2.2.x. The purpose of the Definitive Guide is to provide a single location for questions for Apache 2.0.x and 2.2.x, while also providing more depth about things to consider when building your Apache-based Subversion server using LDAP for authentication.

The Configuration

For those of you that just want to get to the point, where you can copy and paste and move on, here you go:

Example Apache 2.2.x Configuration Snippet

# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

# Load Subversion Apache Modules
LoadModule dav_svn_module     modules/mod_dav_svn.so # Use full path to SUBVERSION_HOME/bin/mod_dav_svn.so on Windows
LoadModule authz_svn_module   modules/mod_authz_svn.so # Use full path to SUBVERSION_HOME/bin/mod_authz_svn.so on Windows

# Work around authz and SVNListParentPath issue
RedirectMatch ^(/repos)$ $1/

# Enable Subversion logging
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION


  # Enable Subversion
  DAV svn

  # Directory containing all repository for this path
  SVNParentPath /subversion/svn-repos

  # List repositories colleciton
  SVNListParentPath On

  # Enable WebDAV automatic versioning
  SVNAutoversioning On

  # Repository Display Name
  SVNReposName "Your Subversion Repository"

  # Do basic password authentication in the clear
  AuthType Basic

  # The name of the protected area or "realm"
  AuthName "Your Subversion Repository"

  # Make LDAP the authentication mechanism
  AuthBasicProvider ldap

  # Make LDAP authentication is final
  AuthzLDAPAuthoritative on

  # Active Directory requires an authenticating DN to access records
  AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=your,DC=domain"

  # This is the password for the AuthLDAPBindDN user in Active Directory
  AuthLDAPBindPassword ldappassword

  # The LDAP query URL
  AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

  # Require a valid user
  Require valid-user

  # Authorization file
  AuthzSVNAccessFile /subversion/apache2/auth/repos.acl

Example Apache 2.0.x Configuration Snippet

# Load Apache LDAP modules
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

# Load Subversion Apache Modules
LoadModule dav_svn_module     modules/mod_dav_svn.so # Use full path to SUBVERSION_HOME/bin/mod_dav_svn.so on Windows
LoadModule authz_svn_module   modules/mod_authz_svn.so # Use full path to SUBVERSION_HOME/bin/mod_authz_svn.so on Windows

# Work around authz and SVNListParentPath issue
RedirectMatch ^(/repos)$ $1/

# Enable Subversion logging
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION


  # Enable Subversion
  DAV svn

  # Directory containing all repository for this path
  SVNParentPath /subversion/svn-repos

  # List repositories colleciton
  SVNListParentPath On

  # Enable WebDAV automatic versioning
  SVNAutoversioning On

  # Repository Display Name
  SVNReposName "Your Subversion Repository"

  # LDAP Authentication is final
  AuthLDAPAuthoritative on

  # Do basic password authentication in the clear
  AuthType Basic

  # The name of the protected area or "realm"
  AuthName "Your Subversion Repository"

  # Active Directory requires an authenticating DN to access records
  AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=your,DC=domain"

  # This is the password for the AuthLDAPBindDN user in Active Directory
  AuthLDAPBindPassword ldappassword

  # The LDAP query URL
  AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

  # Require authentication
  Require valid-user

  # Authorization file
  AuthzSVNAccessFile /subversion/apache2/auth/repos.acl

(The configurations above were for pointing to an Active Directory (AD) server.

Understanding the Configuration

So…the above Apache configurations are what I personally use when building an Apache-based server. Obviously there are changes that need to be made depending on the environment in but for now, it’s a great start. To make the best of this opportunity, let’s talk about the miscellaneous parts of the configuration.

SVNListParentPath and Subversion’s authz

One of the first problems people run into when building an Apache-based Subversion server is when they want to have mod_dav_svn serve a list of repositories. Everything works fine until they enable Subversion’s authorization (authz) support. What happens is the server will be configured properly and secured properly but when you go to the repository collection list, which in our case is http://localhost/repos, you are forbidden to view the collection even if you have access. Well, with the RedirectMatch closer to the top of the configuration, you fix this issue. How you might be asking and the reason is that when you enable authz, you must have a trailing slash at the end of the collection url. With the RedirectMatch, we automatically redirect urls to the collection listing when there is no trailing slash. Problem solved.

Custom Subversion Logging

Subversion uses Apache’s WebDAV support for providing access to its repositories when using Apache. Unfortunately, when you look at Apache’s access logs to try and see your Subversion usage, you end up with a lot of WebDAV communication being logged and you only see a portion of the actual client/server communication. This is because mod_dav_svn uses Apache subrequests and Apache does not log subrequests. Even if it did, turning the Subversion communication in the Apache access log into something meaningful would be nearly impossible. That being said, the configuration above has been setup to use one of Subversion’s features: Apache Logging which takes the guess work out.

Subversion Configuration

The other Subversion-specific parts of the Apache configuration are pretty self-explanitory. To summarize what is enabled with the above:

  • SVNListParentPath: Enables the ability to browse the location root and get a list of repositories being served by that url base
  • SVNAutoversioning: Enables the use of WebDAV clients to make changes to the repository contents without using a Subversion client
  • SVNParentPath: Enables serving N number of repositories for the url base
  • SVNReposName: Enables you to put in your own text to be visible in the web browser when browsing your repository contents via the built-in repository browser provided by mod_dav_svn
  • AuthzSVNAccessFile: Tells Subversion’s mod_authz_svn module where to find the authz file.

For more details about the Subversion-specific Apache directives, and a list of even more ways you can configure your Apache-based Subversion server, view the mod_dav_svn and the mod_authz_svn documentation.

LDAP Configuration

The LDAP portion of the Apache configuration is where most people run into problems. That being said, we’ll spend a little more time explaining the Apache LDAP configuration. The most important thing to note is the subtle differences between Apache 2.0.x and Apache 2.2.x:

Apache 2.0.x           | Apache 2.2.x
-----------------------------------------------
AuthLDAPAuthoritative  | AuthzLDAPAuthoritative
AuthLDAPBindDN         | AuthLDAPBindDN
AuthLDAPBindPassword   | AuthLDAPBindPassword
AuthLDAPURL            | AuthLDAPURL
                       | AuthBasicProvider

You should note that the Apache LDAP module names have also changed between Apache 2.0.x and 2.2.x. Now that we see the naming changes, let’s talk about how to properly use these Apache directives to get the LDAP-based authentication you’re looking for. (I will be using the Apache 2.2.x names for the Apache directives. If you’re still using Apache 2.0.x, please refer to the table above for how to take my documentation and apply it to Apache 2.0.x.)

  • AuthzLDAPAuthoritative: Tells Apache whether or not a failed authentication request can be passed to other Apache modules
  • AuthLDAPBindDN: The distinguished name of the user account that Apache will use to connect to the directory system to perform its user authentication
  • AuthLDAPBindPassword: The password for the user account configured via the AuthLDAPBindDN directive
  • AuthLDAPURL: This is a url that tells where the directory server is, where to look for users at, what user attribute is used to identify a user and other miscellaneous things specific to the LDAP query syntax (More on this later.)
  • AuthBasicProvider: This tells Apache which authentication module you want to use for Basic authentication

All of the directives above are pretty straight forward except for the AuthLDAPURL directive. This directive we will discuss in more detail below. For any other Apache configuration questions, please resort to the Apache Documentation for your respective Apache version.

The LDAP Query URL

For most, the AuthLDAPURL directive is the most challenging to understand. There is good reason for this. That one directive actually consists of 6+ pieces of information that will be different for each Subversion server. Let’s break our example AuthLDAPURL into its pieces and discuss the importance, and nuances, of each.

For simplicity, here is the url again, in its entirety: ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)

  • Url scheme: [ldap] This is nothing more than a url scheme. It will usually be either ‘ldap’ or ‘ldaps’ in the event that you’re using SSL for accessing your directory server.
  • Hostname: [your.domain] This is the ip address or hostname of your directory server.
  • Port: [389] This is the port the server is listening on for directory server communication.
  • Search Base: [DC=your,DC=domain] This is the distinguished name to the path in the directory tree that you want to search for users.
  • Username attribute: [sAMAccountName] This is the attribute contains the login name being used.
  • Query scope: [sub] This tells the directory server what type of query to perform.
  • Filter: [(objectClass=*)] This tells the directory server to filter the query for objects matching a particular filter

For more details on constructing an ldap url, which is a standard and not specific to Apache, view RFC 2255.

Working with Active Directory

Active Directory is known as a Multi-Master Directory System. This being said, each directory server in AD does not always have all the necessary information to perform all directory server requests. The best way to handle this is to have Apache query a Global Catalog. A Global Catalog server has the ability to search at the whole forest for users. This means if you want to do domain-wide searches or larger, you need to point to a Global Catalog and you need to update your Apache configuration accordingly. When using a Global Catalog, you should be using port 3268 when performing your queries.

Searching for Users

In the example url above, the sAMAccountName attribute is used to identify the username. This attribute is Windows/Active Directory specific so for those of you using OpenLDAP or another option, that attribute probably will not exist. Change your attribute accordingly. An example is if you wanted to use the Common Name to login, you could specify “CN” as the attribute.

LDAP Query Tuning

The last thing we will talk about is the ability to use filters to make your LDAP query a little more specific. In the example url above we used “(objectClass=*)”, which will search for all objects. If you know that you only want to search for a particular object type, like the “user” type, you could use “(objectClass=user)” instead.

Conclusion

Building an Apache-based Subversion server with LDAP as the authentication mechanism can be daunting for some. I hope this has made things easier for you.

Copy from: http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html

, ,

Subversion LDAP Authentication with Apache

Apr 7th

Posted by admin in Uncategorized

No comments

More and more companies are using directory services for housing their user credentials and information.

, ,