如何避免使用 AuthzSVNAccessFile 对 SVN 进行读/写访问

如何避免使用 AuthzSVNAccessFile 对 SVN 进行读/写访问

我想根据 LDAP 中的用户组 ID 授权 SVN 访问,这样我就可以摆脱 AuthzSVNAccessFile。

/etc/httpd/conf.d/subversion.conf 如下:(AuthLDAPURL 是从‘Apache Directory Studio’的‘搜索日志’视图中捕获的)

LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so
DefineExternalAuth pwauth pipe /usr/sbin/pwauth

LDAPTrustedMode SSL
LDAPVerifyServerCert Off
<Location /repos>
    DAV svn
    SVNPath /var/www/svn/repos
    AuthName "SVN Repos"
    AuthType Basic

    AuthzLDAPAuthoritative on

    AuthBasicProvider ldap

    #AuthzSVNAccessFile /var/www/svn/users-access-file

    AuthLDAPURL ldaps://ldap_l.cisco.com:10648/ou=users,dc=sprint,dc=com?hasSubordinates,objectClass?one?(objectClass=*) SSL
    AuthLDAPBindDN "uid=admin,ou=system"

    AuthLDAPBindPassword secret

    Require ldap-group ou=users,dc=sprint,dc=com
    Require ldap-attribute gidNumber=491
</Location>

来自服务器的 LDIF 详细信息:

version: 1

dn: ou=users,dc=sprint,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
userPassword:: e1NTSEF9WlhBaEV3bmp0VmxaQjdEVjl0TE93VjdZYTc3RHZtU3FQRUFhckE9PQ==

dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_qns
gidNumber: 500
homeDirectory: /home/qns
sn: sn__sssd_qns
uid: sssd_qns
uidNumber: 500
userPassword:: e1NTSEF9Z2V5LzJaU3oxK1BPdjlpTGszMjNvTmZtNGtMVk5peGg5TC9BMHc9PQ==

dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn_sssd_pb
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb
uid: sssd_pb
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9PQ==    

我想提供对 gidNumber: 491 的读/写访问权限和对 gidNumber: 500 的只读访问权限

当我尝试上述配置时,我在 /var/log/httpd/ 中收到以下错误日志

[Wed Aug 09 06:41:23 2017] [info] [client ::1] [6813] auth_ldap authenticate: user sssd_pb authentication failed; URI /repos/configuration/ANDSF_Config [User not found][No such object]
[Wed Aug 09 06:41:23 2017] [error] [client ::1] user sssd_pb not found: /repos/configuration/ANDSF_Config

ldapsearch 查询(从‘Apache Directory Studio’的‘搜索日志’视图捕获)输出正确给出如下输出:

ldapsearch -H ldaps://ldap_l.cisco.com:10648 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"

# extended LDIF
#
# LDAPv3
# base <ou=users,dc=sprint,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass 
#

# sssd_pb, users, sprint.com
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass:     posixAccount
objectClass:     top
objectClass:     inetOrgPerson
objectClass:     person
objectClass:     organizationalPerson

# sssd_qns, users, sprint.com
dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
objectClass:     posixAccount
objectClass:     top
objectClass:     inetOrgPerson
objectClass:     person
objectClass:     organizationalPerson

我是否知道上述配置中是否缺少某些内容,导致我无法提供基于 gidNumber 的访问?

相关内容