设置Apache和Subversion使用LDAP（Windows活动目录）组认证 [英] Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication

问题描述

我试图安装的Apache httpd的与Subversion的LDAP访问，并需要一点帮助：

I am attempting to setup Apache httpd with LDAP access for Subversion, and need a bit of help:

我想要做的是使用一组进行访问。如果您是该组中的一员，你有读/写访问。如果你不是，你都进不去。

What I want to do is use a group for access. If you are a member of the group, you have read/write access. If you are not, you have no access.

在我们的LDAP服务器组记录（ LDAP：//ldap.MyCompany.com/DC=MyCompany,DC=COM 的）

The group record in our LDAP server (ldap://ldap.MyCompany.com/DC=MyCompany,DC=COM)

CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com

和该组的成员在此记录是这样的：

and the members of the group are in this record like this:

member: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
member: CN=Joe Public,OU=Users,OU=Cincinnati,OU=Accounts,DC=MyCompany,DC=COM

如果你看我的纪录，LDAP，你会看到：

If you look up my record in LDAP, you'll see:

memberOf: CN=SVN-GROUP,CN=Users,DC=MyCompany,DC=com
Name: David Weintraub
Distinguished Name: CN=David Weintraub,OU=Users,OU=Brooklyn,OU=Accounts,DC=MyCompany,DC=COM
sAMAccountName: dweintraub

我想要做的是登录为 dweintraub （这是我的Windows帐户）和我的Windows密码。我也不想指定Windows域为我登录的一部分。每个人都将是 myCompany中域的一部分。

What I'd like to do is to login as dweintraub (which is my Windows account) with my Windows password. I also don't want to specify the Windows Domain as part of my login. Everyone will be part of the mycompany domain.

我试图去通过Apache httpd的网站，但它是一个有点难以把一切融合在一起。

I'm trying to go through the Apache httpd website, but it's a bit hard to put everything together.

这倒提醒了我，任何人都可以推荐一个好Apache的书吗？

Which reminds me, can anyone recommend a good Apache book?

推荐答案

如果您使用的是Apache 2.2，这其实是pretty的方便。请确保您配置Apache同时拥有mod_ldap模块和mod_authnz_ldap模块启用。

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

下面是需要AD LDAP身份验证和授权的最低要求：

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://ldap.example.com:3268/dc=example,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo
</Location>

对于LDAP组，不围绕DN加上引号。通过指定端口3268，你会被连接到全局编录。我发现这个效果要好得多，因为Apache不会得到一堆请示。

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

这篇关于设置Apache和Subversion使用LDAP（Windows活动目录）组认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！