设置 Apache 和 Subversion 以使用 LDAP(Windows Active Directory)组身份验证 [英] Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication
问题描述
我正在尝试为 Subversion 设置具有 LDAP 访问权限的 Apache httpd,需要一些帮助:
I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:
我想做的是使用组进行访问.如果您是该组的成员,则您具有读/写访问权限.如果不是,则您无权访问.
What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.
我们 LDAP 服务器中的组记录 (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)
The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)
CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
和组的成员在这个记录中是这样的:
and the members of the group are in this record like this:
member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM
如果您在 LDAP 中查找我的记录,您会看到:
If you look up my record in LDAP, you'll see:
memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub
我想要做的是使用我的 Windows 密码以 dweintraub
(这是我的 Windows 帐户)身份登录.我也不想在登录时指定 Windows 域.每个人都将成为 mycompany
域的一部分.
What I'd like to do is to login as dweintraub
(which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany
domain.
我正在尝试浏览 Apache httpd 网站,但将所有内容放在一起有点困难.
I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.
这让我想起了,谁能推荐一本好的 Apache 书籍?
Which reminds me, can anyone recommend a good Apache book?
推荐答案
如果您使用的是 Apache 2.2,这实际上很容易.确保将 Apache 配置为同时启用 mod_ldap 和 mod_authnz_ldap.
If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.
以下是 AD ldap 身份验证和授权所需的最低要求:
Here is the minimum needed for AD ldap authentication and authorization:
<Location /path/to/repo/>
AuthType basic
AuthName "My Repository"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "DN of service account allowed to search"
AuthLDAPBindPassword "Password of service account allowed to search"
Require ldap-group DN of group allowed access to repo
</Location>
对于 ldap-group,不要用引号将 DN 括起来.通过指定端口 3268,您将连接到全局编录.我发现这样做效果更好,因为 Apache 不会获得大量推荐.
For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.
这篇关于设置 Apache 和 Subversion 以使用 LDAP(Windows Active Directory)组身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!