这是我的配置(httpd 2.4):
<AuthnProviderAlias ldap zzzldap>
LDAPReferrals Off
AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
AuthLDAPBindDN "uid=zzz,ou=Applications,o=zzz.com"
AuthLDAPBindPassword "zzz"
</AuthnProviderAlias>
<Location /svn>
DAV svn
SVNParentPath /DATA/svn
AuthType Basic
AuthName "Subversion repositories"
SSLRequireSSL
AuthBasicProvider zzzldap
<RequireAll>
Require valid-user
Require ldap-attribute employeeNumber=12345
Require ldap-group cn=yyy,ou=Groups,o=zzz.com
</RequireAll>
</Location>
可以Require valid-user工作。但是 ldap-attribute、ldap-filter、ldap-group 不起作用 -denied始终在日志中。我花了很多时间,但不明白发生了什么。这是我的日志的示例:
[Tue Sep 25 16:42:26.772006 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require valid-user : granted
[Tue Sep 25 16:42:26.772014 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require ldap-attribute employeeNumber=12345: denied
我使用 ldapsearch 检查了所有信息:有一个有效的用户名、员工 ID 和其他...
答案1
尝试一下这个方法:
<AuthnProviderAlias ldap zzzldap>
LDAPReferrals Off
AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
AuthLDAPBindPassword zzz
</AuthnProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-yyy cn=yyy,ou=Groups,o=zzz.com>
AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com"
AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
AuthLDAPBindPassword zzz
Require ldap-group cn=yyy,ou=Groups,o=zzz.com
#Require ldap-attribute employeeNumber=12345
</AuthzProviderAlias>
<Location /svn>
DAV svn
SVNParentPath /DATA/svn
AuthType Basic
AuthName "Subversion repositories"
SSLRequireSSL
AuthBasicProvider zzzldap
<RequireAll>
Require valid-user
Require ldap-group-yyy
</RequireAll>
</Location>
我不确定“需要 ldap-attribute employeeNumber=12345”部分,但该组现在对我有用。