Hellu!
Lately I’ve been working on securing some web accessible resource, especially Subversion access to repositories through the Apache webserver. One aspect we found very difficult was to secure subversion access through our apache server, when we had a Active Directory server to authenticate against (I know..).
Apache have some directives such as “Require valid-user” which signals that a user has to be authenticated against some authentication provider. This is in most cases a standard “.htaccess” and “.htpasswd” combination which provides this. For small projects, this may be a working approach. However, in a large-scale organization where you want a dynamic handling of users and their access, then using groups to reflect the users access to resources may be a better working solution.
For one of our projects, we wanted all LDAP (AD) users to have read access, while members of certain groups have read and write access. We solved this with the following Apache config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | <Location /wicked_project> DAV svn SVNParentPath /var/svn/wicked_project AuthzLDAPAuthoritative off AuthType basic AuthBasicProvider ldap AuthName "Need to authenticate here" AuthLDAPBindDN "ldap_user@domain.net" AuthLDAPBindPassword secretPassword AuthLDAPURL "ldap://ad.domain.net/dc=domain,dc=net?sAMAccountName?sub?(objectClass=*)" <Limit GET PROPFIND OPTIONS CHECKOUT> Require valid-user </Limit> <Limit REPORT MKACTIVITY PROPPATCH PUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> Require ldap-filter |(memberOf=CN=Staff,OU=GROUPS,DC=DOMAIN,DC=NET) \ (memberOf=CN=Wicked_project_rw,OU=GROUPS,DC=DOMAIN,DC=NET) </Limit> </Location> |
Another LDAP directive which can work if you only need one group to have read and write access is the “ldap-group” directive. However, in our case we needed multiple groups, which is not supported by the “ldap-group” directive.
To solve this problem we used “ldap-filter” with multiple group filters inside the same filter, and divide them with the boolean OR. I don’t know if there are any more elegant ways of achieving the same result, but this solved our problems.
Having a second look at this “ldap-fiter” directive, I see that it have a significant strength in terms of flexibility. However, one aspect I have not considered is the performance of this approach. Without looking in-depth into the mod_ldap apache module, I can guess that for each filter inside the ldap-filter directive, it have to make a query to the LDAP (AD) server to retrieve the wanted resource. So, for each group filter inside the ldap-filter, you need a call. In our approach, we need two LDAP queries. As you now may see, the more groups to filter, the more LDAP queries, hence the performance will degrade the more complex the ldap-filter is.
31 Responses
June 4th, 2009 at 1:11 pm
[...] Read the original post: Fellinghaug Blog » Blog Archive » Apache, subversion and LDAP … [...]
August 11th, 2010 at 3:43 am
Hi everyone
Check out
a marvelous search engine –
baza sie pojebala
P.S. Yahoo – everything will be found! Google: nothing was really lost…
Bye to everyone!
August 11th, 2010 at 5:59 am
great share, great article, very usefull for me…thank you
August 13th, 2010 at 5:25 pm
Great article Thank
you so much!
August 14th, 2010 at 4:36 am
Wow,so niceeee!! Thanks for sharing!
August 14th, 2010 at 12:59 pm
t’s such a great site. fabulous, very interesting!!!
————————————
Opisy
August 15th, 2010 at 3:34 am
Absolutely brilliant post guys, been following your blog for 3 days now and i should say i am starting to like your post. and now how do i subscribe to your blog?
August 15th, 2010 at 8:57 pm
Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.
August 16th, 2010 at 5:08 am
I’ve got to hand it to you
August 17th, 2010 at 2:02 am
t’s such a tickety-boo site. imaginary, quite stimulating!!!
———–
Gry
August 17th, 2010 at 8:09 am
Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.
August 17th, 2010 at 9:03 am
Wedding is a very special time. For You too? Are You organized big wedding party for one or two hundred people? Or you want small wedding dinner with family? We are specialist in planning wedding and we want know your opinion about wedding party. Please write something about it! More about wedding but only in polish language you can read on my blog: Na wesele. If you want i can translate some subject. On my blog I write about planning wedding, decoration, music and more other wedding theme. Read it! And give me some opinion.
August 17th, 2010 at 9:40 am
t’s such a great site. cool, extraordinarily stimulating!!!
———–
Gry
August 17th, 2010 at 2:35 pm
Excellent blog! I genuinely love how it’ s easy on my eyes as well as the info are well written. I am wondering how I may be notified whenever a new post has been made. I have subscribed to your rss feed which should do the trick! Have a nice day!
August 19th, 2010 at 2:41 am
I read this site and it’s very interesting for me. I hope you are many visitors from google end other searchweb. If you want promote this site you should add it to many web directories. I want invited to my webdir. It’s polish dir but we accept site from other country. Promote this site in our site – katalog stron Elsto.pl. Please add site with english description. We automatic translate it to 30 language. Add site now!
August 19th, 2010 at 6:09 am
Greetings. I like your article. This is a nice site and I wanted to post a note to let you know. good job!
August 19th, 2010 at 3:55 pm
What interesting message
August 20th, 2010 at 5:07 am
I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success.
August 21st, 2010 at 7:32 am
Excellent blog! I genuinely love how it’ s easy on my eyes and also the details are well written. I am wondering how I could be notified whenever a new post has been made. I have subscribed to your rss feed which should do the trick! Have a nice day!
August 22nd, 2010 at 6:13 am
I enjoyed reading your blog. Keep it that way.
August 24th, 2010 at 1:24 am
I’m very interesting in theme of this forum but i’m interesting in wedding to. I write own blog and I want know your opinion about it. Please write me what you think about my blog. You can find address in down on this post. Best regards!
My wedding blog:
Udane wesele
August 25th, 2010 at 6:29 am
If U interesting in promotion site in search you should meet my web catalog. It’s polish catalog of site but we added site from all country from the world. If U want promote this site in web, u should add it for my web catalog. Add it now. Be first in search.
Check my site:
Katalog Izy Wosinskiej
August 25th, 2010 at 8:26 pm
Get you any plans suited for holidays? If not strain this hotel it is the best at lustre sea mielno
August 26th, 2010 at 5:51 pm
Fantastic website I loved reading your info
birthday party supplies
August 31st, 2010 at 2:26 am
If admin want promote this forum on web, he should add it for our web cat. We would like forum like this. Don’t wait add your site. Probably very people want find it in our web directory.
Visit my web dir:
katalog stron Rosaro!
September 1st, 2010 at 3:01 pm
Hi everybody. I’n nowbie on this forum and I thirst suggest Hallo Everybody. I’m pubescent apprentice who engender a many web directory. I lust after confirm interesing website in own net dir. If you sallow forward purlieus in network You should combine it for my web directory owing free. Join your orientation now.
Check my we directory:
katalog stron Bynio!
September 2nd, 2010 at 2:09 am
Always interesting to follow an original website. Thank you for the article . Of course, apart from the content , the design of your site looks honestly beautiful . Cheers.
September 2nd, 2010 at 5:04 am
A Quite nice article . Every time i check your website i see a unique perspective . Furthermore , as a noob developer, i should mention that the structure of your blog is nice . Could you reply with the name of the template? .
Cheers .
September 3rd, 2010 at 4:03 am
This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! Keep up the excellent work.Shrink wrapper
September 3rd, 2010 at 4:05 am
Thanks for sharing the information.It is definitely going to help me some time.packaging machines
September 3rd, 2010 at 10:56 am
If you penury inspirit this forum or any other net servant U shoould add it to many network directory. If you discern good directory you shoul take in my site.
Welcom in own directory:
katalog stron SmoczeKule
Leave a Comment