我想根据 LDAP 中的用户组 ID 授权 SVN 访问,这样我就可以摆脱 AuthzSVNAccessFile。
/etc/httpd/conf.d/subversion.conf 如下:(AuthLDAPURL 是从‘Apache Directory Studio’的‘搜索日志’视图中捕获的)
LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so
DefineExternalAuth pwauth pipe /usr/sbin/pwauth
LDAPTrustedMode SSL
LDAPVerifyServerCert Off
<Location /repos>
DAV svn
SVNPath /var/www/svn/repos
AuthName "SVN Repos"
AuthType Basic
AuthzLDAPAuthoritative on
AuthBasicProvider ldap
#AuthzSVNAccessFile /var/www/svn/users-access-file
AuthLDAPURL ldaps://ldap_l.cisco.com:10648/ou=users,dc=sprint,dc=com?hasSubordinates,objectClass?one?(objectClass=*) SSL
AuthLDAPBindDN "uid=admin,ou=system"
AuthLDAPBindPassword secret
Require ldap-group ou=users,dc=sprint,dc=com
Require ldap-attribute gidNumber=491
</Location>
来自服务器的 LDIF 详细信息:
version: 1
dn: ou=users,dc=sprint,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
userPassword:: e1NTSEF9WlhBaEV3bmp0VmxaQjdEVjl0TE93VjdZYTc3RHZtU3FQRUFhckE9PQ==
dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_qns
gidNumber: 500
homeDirectory: /home/qns
sn: sn__sssd_qns
uid: sssd_qns
uidNumber: 500
userPassword:: e1NTSEF9Z2V5LzJaU3oxK1BPdjlpTGszMjNvTmZtNGtMVk5peGg5TC9BMHc9PQ==
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_pb
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb
uid: sssd_pb
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ==
我想提供对 gidNumber: 491 的读/写访问权限和对 gidNumber: 500 的只读访问权限
当我尝试上述配置时,我在 /var/log/httpd/ 中收到以下错误日志
[Wed Aug 09 06:41:23 2017] [info] [client ::1] [6813] auth_ldap authenticate: user sssd_pb authentication failed; URI /repos/configuration/ANDSF_Config [User not found][No such object]
[Wed Aug 09 06:41:23 2017] [error] [client ::1] user sssd_pb not found: /repos/configuration/ANDSF_Config
ldapsearch 查询(从‘Apache Directory Studio’的‘搜索日志’视图捕获)输出正确给出如下输出:
ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=sprint,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass
#
# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
# sssd_qns, users, sprint.com
dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
我是否知道上述配置中是否缺少某些内容,导致我无法提供基于 gidNumber 的访问?