Svn Subversion的Active Directory身份验证-不工作
我正在尝试使用Apache2.4和Active Directory运行我的SVN。 我不想使用authzsvnacessfile,我只想使用AD和mod_authnz_ldap 我在几个网站上找到了以下配置:Svn Subversion的Active Directory身份验证-不工作,svn,active-directory,apache2.4,Svn,Active Directory,Apache2.4,我正在尝试使用Apache2.4和Active Directory运行我的SVN。 我不想使用authzsvnacessfile,我只想使用AD和mod_authnz_ldap 我在几个网站上找到了以下配置: <Location /puppet/> AuthType basic AuthName "Subversion Puppet" AuthBasicProvider ldap AuthLDAPBindDN ldapbind@mydomain.de
<Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap
AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
<Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Read access
<RequireAny>
Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</RequireAny>
</Limit>
<LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Write access
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</LimitExcept>
</RequireAll>
DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on
AuthType basic
AuthName“颠覆傀儡”
AuthBasicProvider ldap
authldappinddnldapbind@mydomain.de
authldappindpassword secretpassword
AuthLDAPURL“ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub“
AuthLDAPGroupAttributesIDN关闭
#读访问
需要ldap属性memberOf=“CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
#写访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
DAV svn
SVNParentPath/srv/svn/puppet
SVNListParentPath打开
现在我有以下情况:
[Mon May 28 14:47:34.419982 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied (no authenticated user yet)
[Mon May 28 14:47:34.420067 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420140 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 28 14:47:34.420219 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(728): [client **.**.**.**:62762] AH01625: authorization result of <RequireAny>: granted (directive limited to other methods)
[Mon May 28 14:47:34.420294 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require ldap-attribute memberOf="ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE": denied
[Mon May 28 14:47:34.420384 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAll>: denied
[Mon May 28 14:47:34.420464 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: denied
[Mon May 28 14:47:34.420537 2018] [authz_core:error] [pid 32245] [client **.**.**.**:62762] AH01631: user ROuser: authorization failure for "/puppet/puppet2/environments":
[Mon May 28 14:47:34.420633 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of Require all granted: granted
[Mon May 28 14:47:34.420713 2018] [authz_core:debug] [pid 32245] mod_authz_core.c(809): [client **.**.**.**:62762] AH01626: authorization result of <RequireAny>: granted
[Mon-May 28 14:47:34.419982 2018][authz_-core:debug][pid 32245]mod_-authz_-core.c(809):[client**.*.*.*.**:62762]AH01626:Require ldap-attribute memberOf=“ldap-attribute memberOf=”CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”的授权结果被拒绝(尚未认证用户)
[2018年5月28日星期一14:47:34.420067][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:的授权结果:拒绝(尚未验证用户)
[2018年5月28日星期一14:47:34.420140][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.**.**:62762]AH01626:的授权结果:拒绝(尚未验证用户)
[2018年5月28日星期一14:47:34.420219][authz_core:debug][pid 32245]mod_authz_core.c(728):[client**.*.*.*.*:62762]AH01625:授权结果:已授予(指令仅限于其他方法)
[Mon May 28 14:47:34.420294 2018][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*.*.*.*.*.*:62762]AH01626:Require ldap attribute memberOf=“ldap attribute memberOf=”CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”的授权结果:拒绝
[2018年5月28日星期一14:47:34.420384][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:的授权结果:拒绝
[Mon May 28 14:47:34.420464 2018][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*:62762]AH01626:的授权结果:拒绝
[2018年5月28日星期一14:47:34.420537][authz_core:error][pid 32245][client**.*.*:62762]AH01631:用户唤醒器:针对“/puppet/puppet2/environments”的授权失败:
[2018年5月28日星期一14:47:34.420633][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*.*.*:62762]AH01626:要求所有授予的授权结果:授予
[2018年5月28日星期一14:47:34.420713][authz_core:debug][pid 32245]mod_authz_core.c(809):[client**.*.*.*:62762]AH01626:授权结果:已授予
所以广告认证是有效的,限制做得很好(至少对于RW用户),但是Require指令可能有问题。因为没有人回答,我猜没有人对答案感兴趣。 不管怎样,我都要回答这个问题: 上面的块不是读块,而是写块。 下面的块不是写块,而是读块 所以我移动了ldap。。。RO用户从上部模块到下部模块的移动 这就是负责限制读取方法的块
<Location /puppet/>
AuthType basic
AuthName "Subversion Puppet"
AuthBasicProvider ldap
AuthLDAPBindDN ldapbind@mydomain.de
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub"
AuthLDAPGroupAttributeIsDN off
<RequireAll>
<Limit MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Write access
<RequireAny>
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</RequireAny>
</Limit>
<LimitExcept MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
# Read access
Require ldap-attribute memberOf="CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
Require ldap-attribute memberOf="CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE"
</LimitExcept>
</RequireAll>
DAV svn
SVNParentPath /srv/svn/puppet
SVNListParentPath on
AuthType basic
AuthName“颠覆傀儡”
AuthBasicProvider ldap
authldappinddnldapbind@mydomain.de
authldappindpassword secretpassword
AuthLDAPURL“ldaps://ldap01.mydomain.de:3269 ldap02.mydomain.de:3269/?sAMAccountName?sub“
AuthLDAPGroupAttributesIDN关闭
#写访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
#读访问
需要ldap属性memberOf=“CN=RW-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
需要ldap属性memberOf=“CN=RO-USERGROUP,OU=Subversion,OU=Groups,DC=MYDOMAIN,DC=DE”
DAV svn
SVNParentPath/srv/svn/puppet
SVNListParentPath打开