Connecting Apache (httpd) To Active Directory
30 Apr 2010Recently I went through a small effort to connect a subversion repository to active directory. This is a good thing because it means that you no longer will need to manage the usernames and password using the old htpasswd format. The htpasswd is fine for very controlled environments but the passwords it allows you to use are pretty weak and the encryption of the passwords is fairly weak also, so allowing the connection to happen using active directory as the authority is a good thing. Also it keeps you from having to maintain more passwords, and I like that idea.
In your /etc/httpd/conf.d/filename.conf
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LDAPConnectionTimeout 15 LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 <Location /server/cache-info> SetHandler ldap-status </Location> <Location /svn> DAV svn SVNPath /subversion/repos SVNListParentPath on AuthzSVNAccessFile /subversion/svnauthorz Satisfy Any AuthType Basic AuthName "Members Only" AuthzLDAPAuthoritative off AuthBasicProvider ldap AuthLDAPBindDN "svn.user@domain.com" AuthLDAPBindPassword "svn.user.password" AuthLDAPURL "ldap://<ldapserverip>/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)" Require valid-user </Location>
However every couple of transactions I would get an error and this message would appear in my error log
/var/log/httpd/error_log
[Fri Apr 30 09:21:46 2010] [warn] [client 192.168.100.105] [22578] auth_ldap authenticate: user peter.franza authentication failed; URI /svnad/projects/ [ldap_search_ext_s() for user failed][Operations error], referer: http://svn/svnad/projects/
The solution was to disable following referers
/etc/openldap/ldap.conf
REFERRALS off
*Note this is in /etc/openldap/ not the ldap.conf in /etc that file is used from pam authentication and not for mod_ldap