Evolving Software

Recently I went through a small effort to connect a subversion repository to active directory. This is a good thing because it means that you no longer will need to manage the usernames and password using the old htpasswd format. The htpasswd is fine for very controlled environments but the passwords it allows you to use are pretty weak and the encryption of the passwords is fairly weak also, so allowing the connection to happen using active directory as the authority is a good thing. Also it keeps you from having to maintain more passwords, and I like that idea.

In your /etc/httpd/conf.d/filename.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
 
LDAPConnectionTimeout 15
 
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
 
  <Location /server/cache-info>
   SetHandler ldap-status
  </Location>
 
  <Location /svn>
    DAV svn
    SVNPath /subversion/repos
    SVNListParentPath on
 
    AuthzSVNAccessFile /subversion/svnauthorz
    Satisfy Any
    AuthType Basic
    AuthName "Members Only"
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap
    AuthLDAPBindDN "svn.user@domain.com"
    AuthLDAPBindPassword "svn.user.password"
    AuthLDAPURL "ldap://<ldapserverip>/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)"
    Require valid-user
 </Location>

However every couple of transactions I would get an error and this message would appear in my error log

/var/log/httpd/error_log

1
[Fri Apr 30 09:21:46 2010] [warn] [client 192.168.100.105] [22578] auth_ldap authenticate: user peter.franza authentication failed; URI /svnad/projects/ [ldap_search_ext_s() for user failed][Operations error], referer: http://svn/svnad/projects/

The solution was to disable following referers

/etc/openldap/ldap.conf

1
REFERRALS off

*Note this is in /etc/openldap/ not the ldap.conf in /etc that file is used from pam authentication and not for mod_ldap