1

I'm using CentOS 8 Stream + Apache 2.4 + Subversion.

I want to allow access to SVN only for users who belong to a specific LDAP group (svn-users).

I have the following problems.

case 1. Enter the correct ID / PW as an LDAP user belonging to svn-users

This works as expected.

This user can access SVN.

case 2. Enter the correct ID / PW as an LDAP user that does not belong to svn-users

This does not work as expected.

I expected this user can't access SVN, but in reality it can.

case3. Enter the wrong LDAP ID / PW

500 Internal Server Error occurs.

For browsers, the Basic authentication dialog does not reappear and the user must restart the browser.

I want to solve cases 2 and 3.

Can anyone help me?

My config and log are below.

/etc/httpd/conf/httpd.conf

[root@my-redmine conf]# cat httpd.conf | egrep -v "^\s*#|^$" ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache ServerAdmin root@localhost <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/var/www/html" <Directory "/var/www"> AllowOverride None Require all granted </Directory> <Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" </IfModule> <Directory "/var/www/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> TypesConfig /etc/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml </IfModule> AddDefaultCharset UTF-8 <IfModule mime_magic_module> MIMEMagicFile conf/magic </IfModule> EnableSendfile on IncludeOptional conf.d/subversion.conf [root@my-redmine conf]#

/etc/httpd/conf,d/subversion.conf

[root@my-redmine conf.d]# cat subversion.conf | egrep -v "^\s*#|^$" <Location /svn/svn-test> DAV svn SVNPath /usr/local/svn/svn-test LogLevel debug AuthLDAPBindDN <MyAdmin> AuthLDAPBindPassword <MyAdminPassword> LDAPReferrals off AuthLDAPBindAuthoritative off AuthType Basic AuthName "Subversion repository(LDAP)" AuthBasicAuthoritative off AuthUserFile /dev/null AuthBasicProvider ldap AuthzSVNAccessFile /usr/local/svn/svn-test/authzsvn.conf AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid AuthLDAPUrl ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local </Location> [root@my-redmine conf.d]#

module include

[root@my-redmine conf.d]]# httpd -t -M | grep auth auth_basic_module (shared) auth_digest_module (shared) authn_anon_module (shared) authn_core_module (shared) authn_dbd_module (shared) authn_dbm_module (shared) authn_file_module (shared) authn_socache_module (shared) authz_core_module (shared) authz_dbd_module (shared) authz_dbm_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) authnz_ldap_module (shared) authz_svn_module (shared) [root@my-redmine conf.d]]#

case 1 error_log

[Tue Jul 20 21:56:43.046463 2021] [authz_svn:info] [pid 195900:tid 140586535274240] [client 192.168.100.120:61050] Access granted: - GET (null) [Tue Jul 20 21:56:43.046514 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:56:43.046519 2021] [authz_core:debug] [pid 195900:tid 140586535274240] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:56:45.339879 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:56:45.339918 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:56:45.339927 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:56:45.343581 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser [Tue Jul 20 21:56:45.343608 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET (null) [Tue Jul 20 21:56:45.343845 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343852 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343858 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:56:45.343869 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser [Tue Jul 20 21:56:45.343876 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:56:45.343905 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/branches [Tue Jul 20 21:56:45.343929 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343942 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343946 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:56:45.343953 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser [Tue Jul 20 21:56:45.343958 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:56:45.343961 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/tags [Tue Jul 20 21:56:45.343974 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343977 2021] [authz_core:debug] [pid 195900:tid 140586518488832] mod_authz_core.c(820): [client 192.168.100.120:61050] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:56:45.343980 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(523): [client 192.168.100.120:61050] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:56:45.343987 2021] [authnz_ldap:debug] [pid 195900:tid 140586518488832] mod_authnz_ldap.c(620): [client 192.168.100.120:61050] AH01697: auth_ldap authenticate: accepting svnuser [Tue Jul 20 21:56:45.343991 2021] [authz_svn:debug] [pid 195900:tid 140586518488832] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:61050] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:56:45.343994 2021] [authz_svn:info] [pid 195900:tid 140586518488832] [client 192.168.100.120:61050] Access granted: 'svnuser' GET svn-test:/trunk

case 2 error_log

[Tue Jul 20 21:57:46.345179 2021] [authz_svn:info] [pid 195900:tid 140586577237760] [client 192.168.100.120:61657] Access granted: - GET (null) [Tue Jul 20 21:57:46.345227 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:57:46.345231 2021] [authz_core:debug] [pid 195900:tid 140586577237760] mod_authz_core.c(820): [client 192.168.100.120:61657] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:57:52.242776 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:57:52.242818 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:57:52.242828 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:57:52.242843 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser [Tue Jul 20 21:57:52.242854 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET (null) [Tue Jul 20 21:57:52.243059 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243069 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243074 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:57:52.243080 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser [Tue Jul 20 21:57:52.243104 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:57:52.243190 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/branches [Tue Jul 20 21:57:52.243215 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243220 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243224 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:57:52.243231 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser [Tue Jul 20 21:57:52.243235 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:57:52.243238 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/tags [Tue Jul 20 21:57:52.243248 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243251 2021] [authz_core:debug] [pid 195902:tid 140586619234048] mod_authz_core.c(820): [client 192.168.100.120:51105] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:57:52.243254 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(523): [client 192.168.100.120:51105] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:57:52.243261 2021] [authnz_ldap:debug] [pid 195902:tid 140586619234048] mod_authnz_ldap.c(620): [client 192.168.100.120:51105] AH01697: auth_ldap authenticate: accepting not-svnuser [Tue Jul 20 21:57:52.243265 2021] [authz_svn:debug] [pid 195902:tid 140586619234048] subversion/mod_authz_svn/mod_authz_svn.c(450): [client 192.168.100.120:51105] Path to authz file is /usr/local/svn/svn-test/authzsvn.conf [Tue Jul 20 21:57:52.243274 2021] [authz_svn:info] [pid 195902:tid 140586619234048] [client 192.168.100.120:51105] Access granted: 'not-svnuser' GET svn-test:/trunk

case 3 error_log

[Tue Jul 20 21:55:55.187406 2021] [authz_svn:info] [pid 195900:tid 140586669557504] [client 192.168.100.120:56967] Access granted: - GET (null) [Tue Jul 20 21:55:55.187474 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:55:55.187484 2021] [authz_core:debug] [pid 195900:tid 140586669557504] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:55:58.763087 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet) [Tue Jul 20 21:55:58.763150 2021] [authz_core:debug] [pid 195900:tid 140586635986688] mod_authz_core.c(820): [client 192.168.100.120:56967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Tue Jul 20 21:55:58.763159 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(523): [client 192.168.100.120:56967] AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid [Tue Jul 20 21:55:58.765260 2021] [authnz_ldap:debug] [pid 195900:tid 140586635986688] mod_authnz_ldap.c(561): [client 192.168.100.120:56967] AH01694: auth_ldap authenticate: user svnuser authentication failed; URI /svn/svn-test/ [ldap_simple_bind() to check user credentials failed][Invalid credentials] (not authoritative) [Tue Jul 20 21:55:58.765297 2021] [authn_core:error] [pid 195900:tid 140586635986688] [client 192.168.100.120:56967] AH01796: AuthType Basic configured without corresponding module
Improve this question

1 Answer 1

Reset to default
0

Try removing AuthzBasicAuthoritative and setting AuthzLDAPBindAuthoritative = on.

That way auth should fail immediately without trying to fall through to any other auth mechanisms.

Improve this answer
1
  • Thanks for your help. I removed AuthBasicAuthoritative and add AuthLDAPBindAuthoritative, so case 3 was solved! And I found case 2 solution, I'm trying it. stackoverflow.com/questions/38996719/… Commented Aug 20, 2021 at 8:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.