Thanks for this. Is there anything special you need to do when using ActiveDirectory? I had a terrible time (http://ask.metafilter.com/11397/ ) trying to do this a few years back.

Tom,
There is nothing special when using Active Directory as the service mod_auth_ldap is querying. Since the ldap url is a standard url with query string, it really comes down to understanding the ldap query capabilities to get exactly what you need. The url mentioned in the blog post is for Active Directory so you could take that and use it with minor modifications. One thing I have ran into when using Active Directory is the port number. The default port of 389 usually works properly as mentioned above but depending on your domain structure, you may need to search the Global Catalog that has a default port number of 3268. That is the only thing I've ran into recently with regard to Apache, mod_auth_ldap and Active Directory. I hope this helps.

Take care,

Jeremy

P.S. - The url you provided isn't working right now so I cannot address your previous issue. Feel free to create a forum post at the following Subversion forum so we can take care of you: http://subversion.open.collab.net/servlets/ForumMessageList?forumID=42

Although it doesn't relate directly to LDAP auth, it bears mentioning that one should use the AuthzSVNNoAuthWhenAnonymousAllowed setting to avoid an Authen query when read access is anonymous (* = r).

Was having problems with Apache/DAV/SVN not letting users authenticate. As mentioned in the above posts I had to authenticate against the Global Catalog and change the port to 3268.

Thanks for the info all.

Mmmm, not working for me...
I think I migh need links to documentation on how to customize
AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"
and
AuthLDAPURL "ldap://your.domain:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"

for my particular environment... any hints? (I am just not sure whic parts of those "string" are "generic" and which parts are not...

I am using http://www.jxplorer.org/ to connect to my Active Directory (and learn stuff about it) and seems to be working... I used what I learned from JXExplorer to configure Ignite OpenFire with LDAP http://www.igniterealtime.org/ ... and it now it is working... I am failing to do it with Subversion...

Perhaps you can recommend me a How-To or book with a chapter on Subversion/LDAP integration?

Hi!
For example... someuser... should match the login... of... the Domain Administrator? or just a Domain user?
what should I put instead of "sAMAccountName"... (or should I leave that untouched?)
Any hints?

I figured I would share what I did to get SubVersion hooked up to my Microsoft AD server for authentication using mod_authz_ldap ( http://authzldap.othello.ch/index.html ) . It's not perfect but... I hope this helps. I probably could have gotten this up and running faster using mod_auth_ldap but authz is more flexible in some ways (and not in others). The two biggest problems I ran into were (1) that authz doesn't use the AuthLDAPURL variable. All of the other variables mentioned above only needed 'z' added to them to work. See their reference link for all vars and note numerous speling mistakes (like they list a scope as 'onlevel' when it is actually 'onelevel' - argh!). (2) Microsoft AD requires a user name and password to 'bind' to. I know this is in the example above but the way AD behaves doesn't make it clear why. I was able to get it to work without the bind name and password if my AuthzLDAPUserKey was set to = CN but I would have had to enter "David\, Stauffer" as my user name in the login dialog box instead of my actual login account name = "daves" (fyi - the \ escapes the comma). I was trying to get away from the bind because I didnt want to store a user name and password in plain text in my httpd.conf file. It turns out that MS requires the bind variable instead of using the input user name/password to bind. This is just plain stupid.

Here goes:
LoadModule dav_module /usr/lib64/httpd/modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_ldap_module modules/mod_authz_ldap.so

Location /repos
DAV svn
SVNParentPath /cm/svn/repos
# Disables Path Checking
SVNPathAuthz off
# Display available Repos
SVNListParentPath on

# LDAP Authentication & Authorization is final; do not check other databases
# I was paranoid that if i set this on it would impact some other authentication
# used for another app. When everything is setup for AD auth
# this can probably be changed to on
AuthzLDAPAuthoritative off

AuthType Basic
AuthName "Subversion Repository"
# LDAP Server to bind to
AuthzLDAPServer "our.svn.server:389"

# the search scope
AuthzLDAPMethod ldap

# Bind to AD User: needs to bind to a user to search. It appears any user will do.
# Without this a subtree search will not work
# Thanks to the user who pointed out http://www.jxplorer.org/ I used this to figure out what the CN of my account was!!!
AuthzLDAPBindDN "CN=user\, name,OU=office,OU=Users,DC=ourdc,DC=org"
AuthzLDAPBindPassword "password"

# Search for this attribute: the sAMAccountName is what contains the AD login name
AuthzLDAPUserKey sAMAccountName

# User Base: this is where the search will start. Really it should be changed to a
# group search to see if a user is in a valid group. in this case only users
# in this office AD OU will be able to access subversion
AuthzLDAPUserBase "OU=office,OU=Users,DC=ourdc,DC=org"

# Set the search scope: subtree allows the search to go to AD levels below the base. I used subtree because we have a hierarchy (its not flat). base or onelevel may work for you and would be faster
AuthzLDAPUserScope subtree

Require valid-user
/Location

Hi All,
You can find the complete package of active directory subversion and apache on http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
So, you don't need to compile apache, subversion. This is the complete package with document.
Regards

I should have been a little clearer in my earlier comment. Jeremy's method of connecting works perfectly fine. I posted mine as an alternative based on two issues I was having. One I wanted to do Authorization via an AD group. Right now svn is limited to using an authorization file. In a large enterprise I want to be able to do both Authentication AND authorization via AD and not have to go around editing text files every time a new user wants access to a repository. Hopefully the next release of svn will add this functionality. The other thing this method does is get rid a an svn 'nuisance' where attempting to browse the /repos parent path generates a page cannot be displayed error. Posts on other sites recommend a workaround of changing the Location directive to Location /repos/ but you have to remember to add the trailing / when you use the url. The point here is that Jeremy's description works well if you don't mind having to maintain an authorization file and it uses a pretty standard apache module. The alternative uses a non-standard apache module and can cause a little confusion so I apologize if I wasn't clear in my earlier post. I think the biggest problem people have is connecting/binding/searching AD so I would highly recommend you look at jxplorer or some other LDAP browser. If you are having problems binding to the AD using this tool it probably explains why you can't get the configuration to work. Depending on how your windows guys setup AD that AuthLDAPBindDN could be pretty long. Assuming the bind was sucessful and port number correct the only thing you need to change about the AuthLDAPURL is the "DC=your,DC=domain". The sAMAccountName is one of many available AD fields associated with your record. You probably want to browse to your record and verify what information is stored in that field and if you need to use something different. As i mentioned earlier our CN's are "firstname, lastname" so the bind was tricky because you had to use firstname,\ lastname to escape out the comma but the sAMAccountName was FirstInitialFirstX#LettersOfLastName. Thats why you should browse AD first to see what values you should be binding with versus entering into the username/password dialog when you browse to the repos.

Michel,
Thanks for making this information public knowledge. On a side-note, the offerings from CollabNet [1] also include Apache with LDAP and SSL functionality.

Take care,

Jeremy

[1] http://downloads.open.collab.net

Hi All,
Everyone is facing the problem of integration of apache/Subversion with Active directory. I found the document with complete package and it takes only 5-10 mins to install. You can also use the same and if any problem, Logon to http://forum.opensourcedevelopment.net, It is really very good.
Path is:- http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
Regards
Mike

Thanks Mike, for link it is working for me

I have been looking for an answer to a problem for a while.
I filter on samaccountname
the dn contains cn="lastname\, firstname",...

Some users can bind with their password and others can't.

I have noticed that the ones that have different first names in samaccountname and cn aren't working.
example
john.smith samaccountname
smith\, Johnathan CN
won't authenticate

But
david.smith samaccountname
smith\, david CN
authenticates correctly

anyway suggestions on how to handle this issue.
Thanks,
David

David,
Can you take this offline in our support forums? It would be great to know more about this issue. In the forum post, can you provide the following:

AuthLDAPURL from the Apache configuration file
The exact scenario where it works, including username used and LDAP CN
The exact scenario where it fails, including usernamd used and LDAP CN

Just in case you cannot find the forums, here is the one most applicable:

http://subversion.open.collab.net/servlets/ForumMessageList?forumID=42

Take care,

Jeremy

Is there anyway to get bind Active Directory with Apache without having the AuthLDAPBindPassword stored in cleartext in the httpd.conf because this seems as if it could result in some security issues.

Anthony, yes there is a different way. You can use Winbind to join a corporate AD, which PAM can make use of, which in turn enables you to use "AuthPAM_Enabled" in your dav_svn.conf.

Well, I'm not using a Linux machine to set this up. And mostly what I'm seeing is that Winbind is a tool on Linux machines to help integrate Linux machines into Windows environments. If you could point me in the right direction with a link...that'd be great.

I've googling for the ability to avoid the initial search phase in mod_authz_ldap and simply bind to the ldap directory with information supplied by the user through the basic-auth credentials.

I would have assumed this to be the preferred method of authenticating a user, in terms of performance (1 stage of connection, auth, and search removed) and obviously security, but all articles I've found, like the above, require either an anonymously available directory or credentials (and clear text at that) embedded in the config?

This strikes me as rather peculiar, so I'm assuming I've missed something blatantly obvious that everyone else seems to know?

Would someone help a poor man out and enlighten me.

Thanks. :-)

Hey Guys,
our Dev team is moving to subversion, and I'm doin the ldap auth.
The configuration on top nearly works for me, but:
on entering the correct username and password, nothing happens. the popup with password request appears again. Apache2 logfile sais nothing, and AD logfile sais: User access granted.
On typing a false password, apache log sais: user denied.
So I assume, that the Apache config works well, or not?
Any ideas?
Thanks.

Here i installed both apache and subversion. also i create some users by htpasswd command. but the problem is here all users are able to access all repository but i want limitation on access...

suppose i create one repository like "ProjectOne" and i have to give access of this repository to only user "rock" than what i have to do. pls help me.

Anil, the access privileges for anonymous users are set in the conf directory inside your repository directory
Search for the line

anon-access = read

and change for

anon-access = none

I think it's the simplest way. Somebody knows another form to make this?

I'm just trying this out, and the Apache config appears ok, unfortunately, it never authenticates me, but does allow read and write to the repository :-(

Any ideas about how to debug this?

Paul

Paul,

Paste your directive. It sounds like you are missing "Require valid-user"

Mark

this article is not for people who use apache 2.2 httpd
because of the update for mod_auth_ldap (changed to mod_authz_ldap in apache2.2)
http://httpd.apache.org/docs/2.2/new_features_2_2.html#module

so in the dav_svn.conf file it should've been this

#AuthzLDAPAuthoritative off

and NOT (notice the Z)

#AuthLDAPAuthoritative off

it has to be OFF for apache 2.2

here is some other lines in dav_svn.conf, i have edited

#AuthLDAPURL "ldap://192.168.1.1:389/OU=People,DC=google,DC=com?uid?sub?(objectClass=*)"
#AuthBasicProvider ldap

finally got mine to work
after about 6 hours of work
i hope this will save other people's time

Hi Jeremy,
The implementation of the ldap autenticated is not functional.

Marcio,
Yes, I know. It was originally published when we were still suggesting Subversion use Apache 2.0.x. When Apache 2.2.x was released, there were changes to things like the LDAP stuff that cause the configuration above to no lnoger work. A little reading of the Apache documentation should help translate this 2.0.x stuff to 2.2.x. Maybe I should just come out with an updated blog entry with both 2.0.x and 2.2.x outlined...

Take care,

Jeremy

P.S. - Further discussion of this topic should be done in the Subversion Server forum on subversion.open.collab.net. (http://subversion.open.collab.net/ds/viewForumSummary.do?dsForumId=3)

With Collabnet SVB 1.5 it crashes: Aplicación con errores: httpd.exe, versión: 2.2.8.0, módulo con error: wldap32.dll, versión 5.1.2600.2180, dirección de error 0x00006d07.

Any hints?