设置 Apache 和 Subversion 以使用 LDAP(Windows Active Directory)组身份验证 [英] Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

查看:32
本文介绍了设置 Apache 和 Subversion 以使用 LDAP(Windows Active Directory)组身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试为 Subversion 设置具有 LDAP 访问权限的 Apache httpd,需要一些帮助:

I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

我想做的是使用组进行访问.如果您是该组的成员,则您具有读/写访问权限.如果不是,则您无权访问.

What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

我们 LDAP 服务器中的组记录 (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)

The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)

CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

和组的成员在这个记录中是这样的:

and the members of the group are in this record like this:

member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

如果您在 LDAP 中查找我的记录,您会看到:

If you look up my record in LDAP, you'll see:

memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

我想要做的是使用我的 Windows 密码以 dweintraub(这是我的 Windows 帐户)身份登录.我也不想在登录时指定 Windows 域.每个人都将成为 mycompany 域的一部分.

What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

我正在尝试浏览 Apache httpd 网站,但将所有内容放在一起有点困难.

I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

这让我想起了,谁能推荐一本好的 Apache 书籍?

Which reminds me, can anyone recommend a good Apache book?

推荐答案

如果您使用的是 Apache 2.2,这实际上很容易.确保将 Apache 配置为同时启用 mod_ldap 和 mod_authnz_ldap.

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

以下是 AD ldap 身份验证和授权所需的最低要求:

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

对于 ldap-group,不要用引号将 DN 括起来.通过指定端口 3268,您将连接到全局编录.我发现这样做效果更好,因为 Apache 不会获得大量推荐.

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

这篇关于设置 Apache 和 Subversion 以使用 LDAP(Windows Active Directory)组身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆