Lately I’ve been working on securing some web accessible resource, especially Subversion access to repositories through the Apache webserver. One aspect we found very difficult was to secure subversion access through our apache server, when we had a Active Directory server to authenticate against (I know..).

Apache have some directives such as “Require valid-user” which signals that a user has to be authenticated against some authentication provider. This is in most cases a standard “.htaccess” and “.htpasswd” combination which provides this. For small projects, this may be a working approach. However, in a large-scale organization where you want a dynamic handling of users and their access, then using groups to reflect the users access to resources may be a better working solution.

For one of our projects, we wanted all LDAP (AD) users to have read access, while members of certain groups have read and write access. We solved this with the following Apache config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<Location /wicked_project>
   DAV svn
   SVNParentPath /var/svn/wicked_project
   AuthzLDAPAuthoritative off
   AuthType basic
   AuthBasicProvider ldap
   AuthName "Need to authenticate here"
   AuthLDAPBindDN "ldap_user@domain.net"
   AuthLDAPBindPassword secretPassword
   AuthLDAPURL "ldap://ad.domain.net/dc=domain,dc=net?sAMAccountName?sub?(objectClass=*)"
 
   <Limit GET PROPFIND OPTIONS CHECKOUT>
      Require valid-user
   </Limit>
   <Limit REPORT MKACTIVITY PROPPATCH PUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
   Require ldap-filter |(memberOf=CN=Staff,OU=GROUPS,DC=DOMAIN,DC=NET) \
                (memberOf=CN=Wicked_project_rw,OU=GROUPS,DC=DOMAIN,DC=NET)
   </Limit>
</Location>

Another LDAP directive which can work if you only need one group to have read and write access is the “ldap-group” directive. However, in our case we needed multiple groups, which is not supported by the “ldap-group” directive.

To solve this problem we used “ldap-filter” with multiple group filters inside the same filter, and divide them with the boolean OR. I don’t know if there are any more elegant ways of achieving the same result, but this solved our problems.

Having a second look at this “ldap-fiter” directive, I see that it have a significant strength in terms of flexibility. However, one aspect I have not considered is the performance of this approach. Without looking in-depth into the mod_ldap apache module, I can guess that for each filter inside the ldap-filter directive, it have to make a query to the LDAP (AD) server to retrieve the wanted resource. So, for each group filter inside the ldap-filter, you need a call. In our approach, we need two LDAP queries. As you now may see, the more groups to filter, the more LDAP queries, hence the performance will degrade the more complex the ldap-filter is.

Jeg tenkte å ta for meg et voksende problem innen utveksling av dokumenter rundt omkring i Norge (og resten av verdenen). Etter at MS Office 2007 kom ut, og med det innførte et nytt filformat (docx, pptx, xlsx, ..), så har folk som tidligere har benyttet MS Office 2003/XP (og eldre) ikke vært istand til å lese dokumentene lagret i disse formatene. Enda verre er det for de som benytter OpenOffice (et gratis verktøy av tilsvarende funksjonalitet som MS Office).

Så, problemet ligger i at MS Office 2007 lagrer som default alle dokumenter i disse nye formatene. Og som kjent så tenker ikke folk flest over dette, og derfor vil mesteparten av produserte dokumenter bli lagret i slike obskure formater. Det skal nevnes at formatet er svært lik OOXML (dog oppfyller den ikke helt spesifikasjonene). Uansett, dette innebærer problemer for folk som benytter andre tilsvarende programmer.

Jeg har selv erfart å få e-post med slike dokumenter, da jeg konsekvent svarer at formatet er ukjent for meg og at de enten skal lagre i det (gamle) “doc” formatet eller ODT (OpenDocument format for tekstbehandling), eventuelt PDF. Sistnevnte byr på problemer dersom du er avhengig av å redigere dokumentet dog.

Hovedpoenget er at folk må slutte å benytte formater som er svært dårlig utbredt, da de innsnevrer mulighetene for andre å lese dokumentene. Inntil det faktisk er mulig for andre enn MS Office å lese og skrive i de respektive formatene, så anbefales det sterkt å unngå dem.