我想在LDAP中根据用户的组ID来授权SVN访问,这样我就可以摆脱AuthzSVNAccessFile。
/etc/httpd/conf.d/subversion.conf如下:(AuthLDAPURL从“Apache Directory Studio”的“search日志”视图中获取)
LoadModule authnz_external_module modules/mod_authnz_external.so LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so DefineExternalAuth pwauth pipe /usr/sbin/pwauth LDAPTrustedMode SSL LDAPVerifyServerCert Off <Location /repos> DAV svn SVNPath /var/www/svn/repos AuthName "SVN Repos" AuthType Basic AuthzLDAPAuthoritative on AuthBasicProvider ldap #AuthzSVNAccessFile /var/www/svn/users-access-file AuthLDAPURL ldaps://ldap_l.cisco.com:10648/ou=users,dc=sprint,dc=com?hasSubordinates,objectClass?one?(objectClass=*) SSL AuthLDAPBindDN "uid=admin,ou=system" AuthLDAPBindPassword secret Require ldap-group ou=users,dc=sprint,dc=com Require ldap-attribute gidNumber=491 </Location> 服务器的LDIF详细信息:
version: 1 dn: ou=users,dc=sprint,dc=com objectClass: organizationalUnit objectClass: top ou: users userPassword:: e1NTSEF9WlhBaEV3bmp0VmxaQjdEVjl0TE93VjdZYTc3RHZtU3FQRUFhckE9PQ== dn: uid=sssd_qns,ou=users,dc=sprint,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: posixAccount cn: cn_sssd_qns gidNumber: 500 homeDirectory: /home/qns sn: sn__sssd_qns uid: sssd_qns uidNumber: 500 userPassword:: e1NTSEF9Z2V5LzJaU3oxK1BPdjlpTGszMjNvTmZtNGtMVk5peGg5TC9BMHc9PQ== dn: uid=sssd_pb,ou=users,dc=sprint,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: posixAccount cn: cn_sssd_pb gidNumber: 491 homeDirectory: /home/qns-svn sn: sn_sssd_pb uid: sssd_pb uidNumber: 491 userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ==
我想提供对gidNumber:491的读/写访问权限,并且只读访问gidNumber:500
当我尝试上面的configuration,我得到错误日志在/ var / log / httpd /
[Wed Aug 09 06:41:23 2017] [info] [client ::1] [6813] auth_ldap authenticate: user sssd_pb authentication failed; URI /repos/configuration/ANDSF_Config [User not found][No such object] [Wed Aug 09 06:41:23 2017] [error] [client ::1] user sssd_pb not found: /repos/configuration/ANDSF_Config
ldapsearch查询(从“Apache Directory Studio”的“search日志”视图中获取)输出正确地输出如下:
ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass" # extended LDIF # # LDAPv3 # base <ou=users,dc=sprint,dc=com> with scope oneLevel # filter: (objectClass=*) # requesting: hasSubordinates objectClass # # sssd_pb, users, sprint.com dn: uid=sssd_pb,ou=users,dc=sprint,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson # sssd_qns, users, sprint.com dn: uid=sssd_qns,ou=users,dc=sprint,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson
我可以知道,如果我错过了上面的configuration,这是禁止我提供基于gidNumber的访问?