Fatal编程技术网
  • svn/
  • Svn Subversion的Active Directory身份验证-不工作

Svn Subversion的Active Directory身份验证-不工作

svn active-directory

Svn Subversion的Active Directory身份验证-不工作,svn,active-directory,apache2.4,Svn,Active Directory,Apache2.4,我正在尝试使用Apache2.4和Active Directory运行我的SVN。 我不想使用authzsvnacessfile,我只想使用AD和mod_authnz_ldap 我在几个网站上找到了以下配置: <Location /puppet/> AuthType basic AuthName "Subversion Puppet" AuthBasicProvider ldap AuthLDAPBindDN ldapbind@mydomain.de

我正在尝试使用Apache2.4和Active Directory运行我的SVN。 我不想使用authzsvnacessfile,我只想使用AD和mod_authnz_ldap

我在几个网站上找到了以下配置:

<Location /puppet/>
    AuthType basic
    AuthName "Subversion Puppet"
    AuthBasicProvider ldap

    AuthLDAPBindDN ldapbind@mydomain.de
    AuthLDAPBindPassword secretpassword
    AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
    AuthLDAPGroupAttributeIsDN off
    <RequireAll>
        <Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
            # Read access
         <RequireAny>
           Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
           Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
         </RequireAny>
        </Limit>
        <LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
           # Write access
           Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
        </LimitExcept>
    </RequireAll>

    DAV svn
    SVNParentPath /srv/svn/puppet
    SVNListParentPath on


AuthType basic
AuthName“颠覆傀儡”
AuthBasicProvider ldap
authldappinddnldapbind@mydomain.de
authldappindpassword secretpassword
AuthLDAPURL“ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub“
AuthLDAPGroupAttributesIDN关闭
#读访问
需要ldap属性memberOf=“CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
#写访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
DAV svn
SVNParentPath/srv/svn/puppet
SVNListParentPath打开

现在我有以下情况:

  • 我可以使用RW用户登录
  • 我无法使用RO用户登录
  • 如果我对RW部分进行注释,我还可以使用RO用户登录
    • 日志文件告诉我:

    [Mon May 28 14:47:34.419982 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied (no authenticated user yet)
[Mon May 28 14:47:34.420067 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420140 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420219 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(728): [client **.**.**.**:62762] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)
[Mon May 28 14:47:34.420294 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied
[Mon May 28 14:47:34.420384 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied
[Mon May 28 14:47:34.420464 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied
[Mon May 28 14:47:34.420537 2018] [authz_core:error] [pid 32245] [client **.**.**.**:62762] AH01631: user ROuser: authorization failure for "/puppet/puppet2/environments":
[Mon May 28 14:47:34.420633 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require all granted: granted
[Mon May 28 14:47:34.420713 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: granted

    [Mon-May 28 14:47:34.419982 2018][authz_-core:debug][pid 32245]mod_-authz_-core.c(809):[client**.*.*.*.**:62762]AH01626:Require ldap-attribute memberOf=“ldap-attribute memberOf=”CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”的授权结果被拒绝(尚未认证用户)
[2018年5月28日星期一14:47:34.420067][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:的授权结果:拒绝(尚未验证用户)
[2018年5月28日星期一14:47:34.420140][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.**.**:62762]AH01626:的授权结果:拒绝(尚未验证用户)
[2018年5月28日星期一14:47:34.420219][authz_core:debug][pid 32245]mod_authz_core.c(728):[client**.*.*.*.*:62762]AH01625:授权结果:已授予(指令仅限于其他方法)
[Mon May 28 14:47:34.420294 2018][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*.*.*.*.*.*:62762]AH01626:Require ldap attribute memberOf=“ldap attribute memberOf=”CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”的授权结果:拒绝
[2018年5月28日星期一14:47:34.420384][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:的授权结果:拒绝
[Mon May 28 14:47:34.420464 2018][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*:62762]AH01626:的授权结果:拒绝
[2018年5月28日星期一14:47:34.420537][authz_core:error][pid 32245][client**.*.*:62762]AH01631:用户唤醒器:针对“/puppet/puppet2/environments”的授权失败:
[2018年5月28日星期一14:47:34.420633][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*.*:62762]AH01626:要求所有授予的授权结果:授予
[2018年5月28日星期一14:47:34.420713][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:授权结果:已授予
    所以广告认证是有效的,限制做得很好(至少对于RW用户),但是Require指令可能有问题。

    因为没有人回答,我猜没有人对答案感兴趣。 不管怎样,我都要回答这个问题:

    上面的块不是读块,而是写块。 下面的块不是写块,而是读块

    所以我移动了ldap。。。RO用户从上部模块到下部模块的移动

    这就是负责限制读取方法的块

    <Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap

AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
    <Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
        # Write access
     <RequireAny>
       Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
     </RequireAny>
    </Limit>
    <LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
       # Read access
       Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
       Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
    </LimitExcept>
</RequireAll>

DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on

    
AuthType basic
AuthName“颠覆傀儡”
AuthBasicProvider ldap
authldappinddnldapbind@mydomain.de
authldappindpassword secretpassword
AuthLDAPURL“ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub“
AuthLDAPGroupAttributesIDN关闭
#写访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
#读访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
需要ldap属性memberOf=“CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
DAV svn
SVNParentPath/srv/svn/puppet
SVNListParentPath打开