Subversion LDAP config Apache 2 vs Apache 2.2

Subversion LDAP config Apache 2 vs Apache 2.2

am 26.11.2007 21:21:36 von Mike van Lammeren

Hello!

I just spent about 6 hours solving a configuration problem under
Apache 2.2 and wanted to record the solution for the benefit of the
hive mind.

This is the error I saw in my Apache log:
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Here's a bit of config from my working setup using Apache 2 under
Ubuntu dapper, talking to a Microsoft Active Directory, to
authenticate Subversion users.

---
# Apache 2 Config
LDAPTrustedCA /etc/apache2/ssl/ldap-cert/example.p7b
LDAPTrustedCAType BASE64_FILE


SSLEngine On
SSLCertificateFile /etc/apache2/ssl/host.cert
SSLCertificateKeyFile /etc/apache2/ssl/host.key


DAV svn
SVNPath /var/lib/svn/myrepo

SSLRequireSSL

# Basic Authentication (secured by accessing via https/ssl)
AuthType Basic
AuthName "SVN Repo"
AuthLDAPAuthoritative On

AuthLDAPURL "ldaps://ldap.example.com:636/
OU=myGroups,DC=example,DC=com?sAMAccountName"
AuthLDAPBindDN "CN=ldap_user,OU=myGroups,DC=example,DC=com"
AuthLDAPBindPassword ldap_password


---


A number of changes were made between Apache 2 and Apache 2.2 that
affected this config:

1. LDAPTrustedCA and LDAPTrustedCAType were merged into
LDAPTrustedGlobalCert.
2. BASE64_FILE turns into CA_BASE64.
3. Instead of AuthLDAPAuthoritative, use AuthBasicProvider.
4. For the location directives, (not shown in my examples,) the
"require group" parameters turn into "Require ldap-group".
4. Finally, the part that had me stumped for hours, you must set
LDAPVerifyServerCert to off!

Here is the config for Apache 2.2:

---
# Apache 2.2 Config
LDAPVerifyServerCert Off
LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/ssl/ldap-cert/example.p7b


SSLEngine On
SSLCertificateFile /etc/apache2/ssl/host.cert
SSLCertificateKeyFile /etc/apache2/ssl/host.key


DAV svn
SVNPath /var/lib/svn/myrepo

SSLRequireSSL

# Basic Authentication (secured by accessing via https/ssl)
AuthType Basic
AuthName "SVN Repo"
AuthBasicProvider ldap

AuthLDAPURL "ldaps://ldap.example.com:636/
OU=myGroups,DC=example,DC=com?sAMAccountName"
AuthLDAPBindDN "CN=ldap_user,OU=myGroups,DC=example,DC=com"
AuthLDAPBindPassword ldap_password



---

I hope this saves someone some time!

Re: Subversion LDAP config Apache 2 vs Apache 2.2

am 27.11.2007 01:31:16 von shimmyshack

On Nov 26, 8:21 pm, Mike van Lammeren wrote:
> Hello!
>
> I just spent about 6 hours solving a configuration problem under
> Apache 2.2 and wanted to record the solution for the benefit of the
> hive mind.
>
> This is the error I saw in my Apache log:
> [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> Here's a bit of config from my working setup using Apache 2 under
> Ubuntu dapper, talking to a Microsoft Active Directory, to
> authenticate Subversion users.
>
> ---
> # Apache 2 Config
> LDAPTrustedCA /etc/apache2/ssl/ldap-cert/example.p7b
> LDAPTrustedCAType BASE64_FILE
>
>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/host.cert
> SSLCertificateKeyFile /etc/apache2/ssl/host.key
>
>
> DAV svn
> SVNPath /var/lib/svn/myrepo
>
> SSLRequireSSL
>
> # Basic Authentication (secured by accessing via https/ssl)
> AuthType Basic
> AuthName "SVN Repo"
> AuthLDAPAuthoritative On
>
> AuthLDAPURL "ldaps://ldap.example.com:636/
> OU=myGroups,DC=example,DC=com?sAMAccountName"
> AuthLDAPBindDN "CN=ldap_user,OU=myGroups,DC=example,DC=com"
> AuthLDAPBindPassword ldap_password
>
>
> ---
>
> A number of changes were made between Apache 2 and Apache 2.2 that
> affected this config:
>
> 1. LDAPTrustedCA and LDAPTrustedCAType were merged into
> LDAPTrustedGlobalCert.
> 2. BASE64_FILE turns into CA_BASE64.
> 3. Instead of AuthLDAPAuthoritative, use AuthBasicProvider.
> 4. For the location directives, (not shown in my examples,) the
> "require group" parameters turn into "Require ldap-group".
> 4. Finally, the part that had me stumped for hours, you must set
> LDAPVerifyServerCert to off!
>
> Here is the config for Apache 2.2:
>
> ---
> # Apache 2.2 Config
> LDAPVerifyServerCert Off
> LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/ssl/ldap-cert/example.p7b
>
>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/host.cert
> SSLCertificateKeyFile /etc/apache2/ssl/host.key
>
>
> DAV svn
> SVNPath /var/lib/svn/myrepo
>
> SSLRequireSSL
>
> # Basic Authentication (secured by accessing via https/ssl)
> AuthType Basic
> AuthName "SVN Repo"
> AuthBasicProvider ldap
>
> AuthLDAPURL "ldaps://ldap.example.com:636/
> OU=myGroups,DC=example,DC=com?sAMAccountName"
> AuthLDAPBindDN "CN=ldap_user,OU=myGroups,DC=example,DC=com"
> AuthLDAPBindPassword ldap_password
>
>
>
> ---
>
> I hope this saves someone some time!

thank you. i will try it at work soonish