[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian and Apache2 nested group ldap support

Hi there,

I would like to ask a question about an LDAP + Apache2 related
question. I've been dealing with this problem for the last couple of
days, so here is the story.

I have to integrate the SVN repositories of my company with the
ActiveDirectory (w2k3). My configuration is the following:

- Testing Debian, updated to the latest available binaries, running
kernel Linux version 2.6.18-6-amd64 (Debian 2.6.18.dfsg.1-18etch6).

- The apache packages installed:

ii  apache2                         2.2.9-10              Apache HTTP
Server metapackage
ii  apache2-mpm-worker              2.2.9-10              Apache HTTP
Server - high speed threaded mod
ii  apache2-utils                   2.2.9-10              utility
programs for webservers
ii  apache2.2-common                2.2.9-10              Apache HTTP
Server common files
ii  libapache-authznetldap-perl     0.07-4                Apache-Perl
module that enables to authorize
ii  libapache2-mod-perl2            2.0.4-4               Integration
of perl with the Apache2 web ser
ii  libapache2-reload-perl          0.10-2                Reload Perl
modules when changed on disk
ii  libapache2-svn                  1.5.1dfsg1-1          Subversion
server modules for Apache

- The apache modules enabled:
lrwxrwxrwx 1 root root   28 2008-07-21 19:58 alias.conf ->
../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 2008-07-21 19:58 alias.load ->
../mods-available/alias.load
lrwxrwxrwx 1 root root   33 2008-07-21 19:58 auth_basic.load ->
../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 2008-07-21 19:58 authn_file.load ->
../mods-available/authn_file.load
lrwxrwxrwx 1 root root   34 2008-11-30 16:36 authnz_ldap.load ->
../mods-available/authnz_ldap.load
lrwxrwxrwx 1 root root   33 2008-11-30 16:58 authz_host.load ->
../mods-available/authz_host.load
lrwxrwxrwx 1 root root   32 2008-07-21 19:58 autoindex.conf ->
../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 2008-07-21 19:58 autoindex.load ->
../mods-available/autoindex.load
lrwxrwxrwx 1 root root   27 2008-07-21 19:58 cgid.conf ->
../mods-available/cgid.conf
lrwxrwxrwx 1 root root   27 2008-07-21 19:58 cgid.load ->
../mods-available/cgid.load
lrwxrwxrwx 1 root root   26 2008-07-21 20:05 dav.load ->
../mods-available/dav.load
lrwxrwxrwx 1 root root   30 2008-07-21 20:05 dav_svn.conf ->
../mods-available/dav_svn.conf
lrwxrwxrwx 1 root root   30 2008-07-21 20:05 dav_svn.load ->
../mods-available/dav_svn.load
lrwxrwxrwx 1 root root   30 2008-07-21 19:58 deflate.conf ->
../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 2008-07-21 19:58 deflate.load ->
../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 2008-07-21 19:58 dir.conf ->
../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 2008-07-21 19:58 dir.load ->
../mods-available/dir.load
lrwxrwxrwx 1 root root   26 2008-07-21 19:58 env.load ->
../mods-available/env.load
lrwxrwxrwx 1 root root   27 2008-11-30 16:36 ldap.load ->
../mods-available/ldap.load
lrwxrwxrwx 1 root root   27 2008-07-21 19:58 mime.conf ->
../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 2008-07-21 19:58 mime.load ->
../mods-available/mime.load
lrwxrwxrwx 1 root root   34 2008-07-21 19:58 negotiation.conf ->
../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 2008-07-21 19:58 negotiation.load ->
../mods-available/negotiation.load
lrwxrwxrwx 1 root root   27 2008-11-30 16:32 perl.load ->
../mods-available/perl.load
lrwxrwxrwx 1 root root   31 2008-07-21 19:58 setenvif.conf ->
../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 2008-07-21 19:58 setenvif.load ->
../mods-available/setenvif.load
lrwxrwxrwx 1 root root   26 2008-07-21 21:19 ssl.conf ->
../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 2008-07-21 21:19 ssl.load ->
../mods-available/ssl.load
lrwxrwxrwx 1 root root   29 2008-07-21 19:58 status.conf ->
../mods-available/status.conf
lrwxrwxrwx 1 root root   29 2008-07-21 19:58 status.load ->
../mods-available/status.load

- The subversion packages installed:
ii  libapache2-svn                  1.5.1dfsg1-1          Subversion
server modules for Apache
ii  libsvn1                         1.5.1dfsg1-1          Shared
libraries used by Subversion

- The related part of my virtual host configuration:
        <Location />
            AuthBasicProvider ldap
            AuthName "L&M Subversion Server"
            AuthType Basic
            AuthzLDAPAuthoritative on

            AuthLDAPURL
"ldap://192.168.1.100:389/OU=LMUsers,DC=lmsolutions,DC=hu?sAMAccountName?sub?(objectClass=*)"

            AuthLDAPBindDN "CN=SVN LDAP Query
User,OU=ServAcc,OU=LMUsers,DC=lmsolutions,DC=hu"
            AuthLDAPBindPassword <somepassword>

            AuthLDAPGroupAttribute member
            AuthLDAPGroupAttributeIsDN on
#           AuthLDAPSubGroupClass group
#           AuthLDAPSubGroupAttribute member
#           AuthLDAPMaxSubGroupDepth 10

            require ldap-group CN=LMDevelopers,OU=LMGroups,DC=lmsolutions,DC=hu
        </Location>

---------------------------------------------
The communication and authorization basically works, except one scenarion.

When the above listed group (LMDevelopers) contains only people and no
further groups everything works just perfect.

Unfortunately I do have nested (sub) groups in my AD group hierarchy,
and would need to have access on the commented AuthLDAPSubGroupClass,
AuthLDAPSubGroupAttribute and AuthLDAPMaxSubGroupDepth options, to
make authorization through these nested groups available.

If I try to use them I get the error message when starting apache:
"Syntax error on line 41 of /etc/apache2/sites-enabled/svn-https:
Invalid command 'AuthLDAPSubGroupClass', perhaps misspelled or defined
by a module not included in the server configuration  failed!"

The main apache documentation states, that these options are available
since version 2.1.
(http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html)

Could you please help me out what I'm missing, or how I can fix this problem?

Thanks,
Balázs
Reply to: