como posso evitar o uso de AuthzSVNAccessFile para acesso de leitura / gravação ao SVN

1

Eu quero autorizar o acesso ao SVN com base no ID do grupo do usuário no LDAP para que eu possa me livrar do AuthzSVNAccessFile.

/etc/httpd/conf.d/subversion.conf é como abaixo: (AuthLDAPURL é capturado da visão 'Logs de busca' do 'Apache Directory Studio')

LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so
DefineExternalAuth pwauth pipe /usr/sbin/pwauth

LDAPTrustedMode SSL
LDAPVerifyServerCert Off
<Location /repos>
    DAV svn
    SVNPath /var/www/svn/repos
    AuthName "SVN Repos"
    AuthType Basic

    AuthzLDAPAuthoritative on

    AuthBasicProvider ldap

    #AuthzSVNAccessFile /var/www/svn/users-access-file

    AuthLDAPURL ldaps://ldap_l.cisco.com:10648/ou=users,dc=sprint,dc=com?hasSubordinates,objectClass?one?(objectClass=*) SSL
    AuthLDAPBindDN "uid=admin,ou=system"

    AuthLDAPBindPassword secret

    Require ldap-group ou=users,dc=sprint,dc=com
    Require ldap-attribute gidNumber=491
</Location>

Detalhes do LDIF do servidor:

version: 1

dn: ou=users,dc=sprint,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
userPassword:: e1NTSEF9WlhBaEV3bmp0VmxaQjdEVjl0TE93VjdZYTc3RHZtU3FQRUFhckE9PQ==

dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_qns
gidNumber: 500
homeDirectory: /home/qns
sn: sn__sssd_qns
uid: sssd_qns
uidNumber: 500
userPassword:: e1NTSEF9Z2V5LzJaU3oxK1BPdjlpTGszMjNvTmZtNGtMVk5peGg5TC9BMHc9PQ==

dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_pb
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb
uid: sssd_pb
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ==    

Eu quero fornecer acesso de leitura / gravação ao gidNumber: 491 e acesso somente leitura ao gidNumber: 500

Quando eu tentei acima da configuração, eu tenho abaixo log de erro em / var / log / httpd /

[Wed Aug 09 06:41:23 2017] [info] [client ::1] [6813] auth_ldap authenticate: user sssd_pb authentication failed; URI /repos/configuration/ANDSF_Config [User not found][No such object]
[Wed Aug 09 06:41:23 2017] [error] [client ::1] user sssd_pb not found: /repos/configuration/ANDSF_Config

A consulta ldapsearch (capturada da exibição 'Logs de Pesquisa' do 'Apache Directory Studio') está gerando a saída corretamente conforme abaixo:

ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"

# extended LDIF
#
# LDAPv3
# base <ou=users,dc=sprint,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass 
#

# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass:     posixAccount
objectClass:     top
objectClass:     inetOrgPerson
objectClass:     person
objectClass:     organizationalPerson

# sssd_qns, users, sprint.com
dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass:     posixAccount
objectClass:     top
objectClass:     inetOrgPerson
objectClass:     person
objectClass:     organizationalPerson

Posso saber se estou perdendo algo na configuração acima, o que me impede de fornecer acesso baseado no gidNumber?

    
por Kedar 09.08.2017 / 09:29

0 respostas

Tags