![]() |
ABOUT
SERVICES
PROJECTS
WRITING
CONTACT
![]() |
See also: Apache Tips and Tricks
At work CVS access has always been fairly open, after all we're all friends behind the firewall … right? Well it was decided from upon high that we're a big enough company that this is no longer appropriate, “many things need to change”. The one thing I wasn't quite sure how to fix was to protect ViewCVS (a web read-only CVS client).
Here are my requirements:
So being a Debian sorta fellow I did a search for all the Apache and LDAP packages which my servers had packages for:
# apt-cache --names-only search libapache | grep -i ldap libapache-auth-ldap - LDAP authentication module for Apache libapache-authnetldap-perl - LDAP authentication for Apache+mod_perl libapache-authznetldap-perl - LDAP access control for Apache+mod_perl libapache-mod-ldap - Apache authentication via LDAP directory
I'm not a mod\_perl fan so that ruled out two, which left me with mod-ldap or Auth_LDAP. I did some reading. It appears that mod-ldap just stores usernames/passwords in an LDAP tree, it doesn't actually validate credentials by binding to an LDAP server (which seems mostly useless to me but maybe I'm missing something) so that was no use to me. Which left me with Auth-LDAP. I tracked down it's homepage and started to despair as there was no mention of Active Directory, since AD isn't quite normal LDAP that's normally a bad sign. I spent some more time staring listlessly at the documentation …
After gathering enough entropy I started to experiment, in the end it was quite easy. The hardest part is wrapping your head around LDAP URLs. Once you grok that the rest is straight forward enough.
libapache-auth-ldap
into Apache (I'm assuming you know how to do this)cn=users,dc=domain,dc=com
CN=DepartmentA,CN=Users,DC=domain,DC=com
<Location /cgi-bin/viewcvs> AuthType Basic AuthName "Restricted Directory" AuthLDAPURL ldap://adserver.domain.com/dc=domain,dc=com?sAMAccountName?sub AuthLDAPBindDN anonymous@domain.com AuthLDAPBindPassword secretpassword require valid-user </Location>
Open up a browser and try and access your newly restricted directory, you should be prompted for a username and password and it should only let you enter if you enter in a user/pass combo that exists in your Active Directory server.
AuthLDAPURL
to have a filter, like this (should be all one long line): AuthLDAPURL ldap://adserver.domain.com/dc=domain,dc=com?sAMAccountName?sub?(memberOf=CN=departmentA,CN=Users,DC=domain,DC=com)
This looks a little confusing but all you are doing is saying that in order for the URL to match a user they must have an LDAP attribute called memberOf which matches CN=departmentA,CN=Users,DC=domain,DC=com
And more or less, that's it. You're done! There are some other useful tips which are included below:
AuthLDAPBindDN
and AuthLDAPBindPassword
directivesuser@domain.com
AuthLDAPURL ldap://adserver/cn=users,dc=domain,dc=com?sAMAccountName
)/path/to/cgi?var=value and /path/to/cgi?var=value2
are identical)/cvsroot/reposA
and /cvsroot/reposB
) and then just point ViewCVS at the root directory and let it browse from that point down. Using this scheme you get URL's like /viewcvs.cgi/reposA/module
which works nicely with Apache authentication♡2014 by adam shand. sharing is an act of love, please share. | changes · sitemap · login |