Connecting Apache (httpd) To Active Directory
30 Apr 2010Recently I went through a small effort to connect a subversion repository to active directory. This is a good thing because it means that you no longer will need to manage the usernames and password using the old htpasswd format. The htpasswd is fine for very controlled environments but the passwords it allows you to use are pretty weak and the encryption of the passwords is fairly weak also, so allowing the connection to happen using active directory as the authority is a good thing. Also it keeps you from having to maintain more passwords, and I like that idea.
In your /etc/httpd/conf.d/filename.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LDAPConnectionTimeout 15
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location /server/cache-info>
SetHandler ldap-status
</Location>
<Location /svn>
DAV svn
SVNPath /subversion/repos
SVNListParentPath on
AuthzSVNAccessFile /subversion/svnauthorz
Satisfy Any
AuthType Basic
AuthName "Members Only"
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPBindDN "svn.user@domain.com"
AuthLDAPBindPassword "svn.user.password"
AuthLDAPURL "ldap://<ldapserverip>/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)"
Require valid-user
</Location>
However every couple of transactions I would get an error and this message would appear in my error log
/var/log/httpd/error_log
[Fri Apr 30 09:21:46 2010] [warn] [client 192.168.100.105] [22578] auth_ldap authenticate: user peter.franza authentication failed; URI /svnad/projects/ [ldap_search_ext_s() for user failed][Operations error], referer: http://svn/svnad/projects/
The solution was to disable following referers
/etc/openldap/ldap.conf
REFERRALS off
*Note this is in /etc/openldap/ not the ldap.conf in /etc that file is used from pam authentication and not for mod_ldap