LDAP for an internet project. Part 3

    In the first and second parts, we installed and configured OpenLDAP, we can begin to configure authorization for our services.
    Today we have a plan for setting up authorization for admins in Apache HTTPD via mod_ldap and SVN.

    4. authorization for admins - Apache HTTPD mod_ldap

    We believe that apache2 is already installed, we only need to enable authnz_ldap and mod_ldap: a2enmod authnz_ldap
    At the time of debugging, I recommend disabling the cache for mod_ldap:
    echo "LDAPCacheEntries 0" >> /etc/apache2/mods-avalible/ldap.load
    Restart the Apache config: /etc/init.d/apache2 reload
    Next, change the vhost config, or create a file. htaccess (runs slower).
    For example, this: Require ldap-group can be registered in a row - the check will be performed sequentially for each.
    cat > /var/www/adminka/.htaccess << "EOF"
    AuthName "restricted"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
    AuthLDAPGroupAttribute uniqueMember
    Require ldap-group cn=habr-adminka,ou=group,dc=habr,dc=ru
    EOF



    I remind you that the users we have are stored in ou = users, accordingly the cn = habr-adminka group is created in which the users (uniqueMember) are registered.
    For example: Log mod_ldap can be seen by setting the apache logging level value to debug. 5. authorization for svn A small digression about svnserve:
    dn: cn=habr-adminka,ou=group,dc=habr,dc=ru
    cn: habr-adminka
    objectClass: groupOfUniqueNames
    objectClass: top
    description: habr.ru/adminka
    uniqueMember: uid=habradmin,ou=users,dc=habr,dc=ru
    uniqueMember: uid=habradmin2,ou=users,dc=habr,dc=ru





    As it turned out after picking the source subversion and cyrus-sasl (ldapdb plugin), ldap is almost not supported - you can’t check groups, there are no filters ... in general, everything is bad.
    At the same time, the system saslauthd with the options -a ldap -O /etc/saslauthd.conf perfectly authorizes the groups: If you are interested, the working config /etc/saslauthd.conf:
    testsaslauthd -u user -p pass
    0: OK "Success."



    cat > /etc/saslauthd.conf << "EOF"
    ldap_servers: ldap://ldap.habr.ru
    ldap_bind_dn: cn=auth,dc=habr,dc=ru
    ldap_bind_pw: secret
    ldap_cache_ttl: 0
    ldap_scope: sub
    ldap_search_base: ou=users,dc=habr,dc=ru
    ldap_auth_method: bind
    ldap_basedn: dc=habr,dc=ru
    ldap_group_dn: cn=code,ou=svn,dc=habr,dc=ru
    ldap_group_attr: uniqueMember
    EOF


    Therefore, you will have to access svn via apache httpd:
    apt-get install libapache2-svn
    Add our repositories to the apache config. We already considered authorization in step 4, so there is nothing new: We reboot apache and check the operation. That's all for today, thanks for watching.

    DAV svn
    SVNPath /var/svn/habr
    AuthName "restricted"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
    AuthLDAPGroupAttribute uniqueMember
    Require ldap-group cn=habr,ou=svn,dc=habr,dc=ru





    Also popular now: