Discussions  >  CollabNet Subversion Admins  >  Subversion Edge - Ldap Issue

Hide all messages in topic

All messages in topic

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author lamtrhieu (OCN Member)
Full name Hieu Lam
Date 2012-02-08 20:12:54 PST
Message Hi,

I have exactly the same issue with kimchong above. The log file say some things like this :

[Wed Feb 08 12:46:38 2012] [debug] mod_authnz_ldap.c(403): [client 10.0.40.47] [3256] auth_ldap authenticate: using URL ldap://a.b.c/DC=a,DC​=b,DC=c?sAMAccountNa​me?sub?(objectClass=​user)

[Wed Feb 08 12:46:38 2012] [info] [client 10.0.40.47] [3256] auth_ldap authenticate: user hieu.lam authentication failed; URI /svn/tcb [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]
[Wed Feb 08 12:46:38 2012] [error] [client 10.0.40.47] user hieu.lam: authentication failure for "/svn/tcb": Password Mismatch


I notice when the server start, it warn something :

[Thu Feb 09 14:47:32 2012] [warn] Init: (xxxx) You configured HTTP(80) on the standard HTTPS(443) port!



The only different with kimchong I have is that after many remove/reenter LDAP BindDN information. The authentication still fails.

I install Subversion Edge 32 bit on an 64 bit Windows Server 2008. Can that be the source of the problem ?

RE: Subversion Edge - Ldap Issue RE: Subversion Edge - Ldap Issue

Author terryr (OCN Member)
Full name Terry Rigby
Date 2011-10-03 18:01:46 PDT
Message I just spend a few hours trying to figure out my LDAP issues but I think I have it figured out and the answer might help you as well. I believe what fixed the problem is that the username that is being used to authenticate with the LDAP server (at least in my case) needs to be the full user name and not their alias. For example, if you have a user named "User Name" and their alias is "usern" then the "LDAP Bind DN:" is "CN=User Name,CN=GroupName,DC​=DomainName,DC=com".​ I also used port 389 as well.

So Assuming that my users name was John Doe and he was part of the "Users" group and my domain was called mydomain.com......

LDAP Security Level: None
LDAP Server Host: svnserver.mydomain.com (URL must resolve properly or use IP address)
LDAP Server Port: 389
LDAP Base DN: CN=Users,DC=mydomain,DC=com
LDAP Bind DN: CN=John Doe,CN=Users,DC=mydomain,DC=com
LDAP Bind Password: 123456
LDAP Login Attribute: sAMAccountName
LDAP Search Scope: Sub
LDAP Filter: [blank]
LDAP Server Certificate Verification: No
Console LDAP Authentication: No

I have verified that I can view the repositories via the web browser and also via a svn client

Good Luck!!

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author jeebitesh21 (OCN Member)
Full name Jeebitesh Kalantri
Date 2011-08-04 02:45:59 PDT
Message I have found out a solution for this problem,
Just change SVN Edge Service and Apache Service to Run in Different Account which can access the network and LDAP, like LDAP Readonly Account.

RE: Subversion Edge - Ldap Issue RE: Subversion Edge - Ldap Issue

Author petes (OCN Member)
Full name Pete Stanley
Date 2010-09-02 10:55:22 PDT
Message Forget LDAP. Add the SSPI module to Apache and use the following guide:
http://blog.pengowor​ks.com/index.cfm/200​7/11/1/Configuring-W​indows-Authenticatio​n-with-Apache-22x-an​d-Subversion

You'll want to apply the changes to a copy of svn_viewvc_httpd.conf and reference that in the httpd.conf rather than the original as that one will get overwritten by Subversion Edge.

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author tcfujii (OCN Member)
Full name Terena Chinn-Fujii
Date 2010-08-31 16:12:58 PDT
Message Hi Kim,

I've been reading through all of the comments and am having a heck of time trying to get Active Directory to work with Subversion Edge 1.1 as well.

Would it be possible to post your updated httpd.conf file with the updates for SSPI and what exactly you did in order to get Active Directory to work?

Thanks,
Terena

> That would be a nice feature to have...
>
> Thank you and John for all your helps and patience!

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-24 10:09:36 PDT
Message That would be a nice feature to have...

Thank you and John for all your helps and patience!

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author markphip (OCN Member)
Full name Mark Phippard
Date 2010-08-24 09:09:18 PDT
Message On 8/24/10 11:54 AM, "Kim Chong" <kimchong_2000 at yahoo dot com> wrote:

> Your description of passthrough authentication is correct. Can we configure
> Edge to use SSPI?

I am considering adding that module for a future version but no concrete
plans. The module is not provided with the Apache httpd server or
maintained by the Apache Software Foundation and so we need to decide how
well maintained and reviewed it is and whether we can support it if there
are problems.

Mark

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-24 08:54:22 PDT
Message Your description of passthrough authentication is correct. Can we configure Edge to use SSPI?

Thanks for your help!

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author markphip (OCN Member)
Full name Mark Phippard
Date 2010-08-23 12:57:28 PDT
Message > I removed and re-entered LDAP BIND DN and for whatever reason, it
seems
> to work now. I could logon and access the repository using AD
credential :-(

Great. I was wondering when you were going to reply. Turned out my
email stopped working this AM and I did not realize it.

> It looks like it doesn't know how to passthrough the current
credential. I
> googled and some forums say that SSPI would allow passthrough
> authentication. Does Edge use SSPI?

Edge does not use SSPI. That is different than LDAP. I am not sure
what passthrough means. Do you mean not require user to provide
credentials at all? That is what SSPI can do.

> Also, how do we restrict AD group acces to the repositories?

You seem to have found the directive in another email. We do not
currently provide UI for this. You would have to find the file we
generate with the LDAP config, then copy and paste it into the
httpd.conf file and comment out the "Include" statement for that file.
Then you could add your additional directive.

> Are we supposed to make all changes through the GUI and not directly
to the
> files such as authz, passwd, adn svnserve.conf?

Authz is provided in the GUI. The other files you mention do not apply
as they are only used by the svnserve Server option which we do not
support. For the most part you are not expected to edit the Apache
configuration, but we have designed SVN Edge so that you can safely edit
the httpd.conf file and have those edits preserved. You need to use the
technique I described above.

Mark

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-23 11:05:41 PDT
Message In the AuthSVNAuth file, we can insert a statement called "Require ldap-group". How do we do that in Edge?

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-23 08:43:35 PDT
Message I removed and re-entered LDAP BIND DN and for whatever reason, it seems to work now. I could logon and access the repository using AD credential :-(

It looks like it doesn't know how to passthrough the current credential. I googled and some forums say that SSPI would allow passthrough authentication. Does Edge use SSPI?

Also, how do we restrict AD group acces to the repositories?

Are we supposed to make all changes through the GUI and not directly to the files such as authz, passwd, adn svnserve.conf?

Thanks for your patience!

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author markphip (OCN Member)
Full name Mark Phippard
Date 2010-08-23 07:01:26 PDT
Message On 8/23/10 9:46 AM, "Kim Chong" <kimchong_2000 at yahoo dot com> wrote:

> Entering 3268 in LDAP Server Port will place a comma right after 3, i.e.
> 3,268. It would let me save but when I click on the link to access the
> repository, I am getting "Internal Server Error. The server encountered an
> internal error or misconfiguration and was unable to complete your request.
> Please contact..."

Did you verify this in the Apache configuration files? I know we have other
users that have used this port and in our database it is just an integer
field.

Your log file was stripped of all line endings and the masking you did of
usernames etc may have been too aggressive for us to help (hard to say for
sure).

> [2636] auth_ldap authenticate: user {user name} authentication failed; URI
> /viewvc/ [LDAP: ldap_simple_bind_s() failed][Invalid Credentials], referer:
> http://localhost:3343/csvn/ [Mon Aug 23 09:20:25 2010] [error] [client {IP
> address}] user {user name}: authentication failure for "/viewvc/": Password
> Mismatch, referer: http://localhost:3343/csvn/ [
>
> I used my own AD credential and I am very sure the password is correct. I have
> also used the AD account that I used to bind to AD but still receive the same
> error.

If you Google for the main values from the error there are a lot of hits:

http://www.google.co​m/search?ie=UTF-8​&q=ldap_simple_bind​_s()+failed][Invalid​
+Credentials]+Password+Mismatch

Most of them point to the BindDN and a couple of the ones using Active
Directory looked very similar to you. There problem was that the DN they
were specifying was not correct (and looks like yours).

See this thread as an example:

http://www.phwinfo.c​om/forum/alt-apache-​configuration/166892​-mod_authnz_ldap
-not-working-help.html

The problem was that "cn=Users" was missing from both the BindDN and the
URL. Have you gone into Active Directory and brought up the account info
you are using for the BindDN and looked at the exact LDAP-style entry? You
have to have the complete DN specified.

Mark

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-23 06:46:01 PDT
Message Entering 3268 in LDAP Server Port will place a comma right after 3, i.e. 3,268. It would let me save but when I click on the link to access the repository, I am getting "Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact..."

Here is the log: (see attached file)


From this output, I belive it knows that I am using AD credential:

[2636] auth_ldap authenticate: user {user name} authentication failed; URI /viewvc/ [LDAP: ldap_simple_bind_s() failed][Invalid Credentials], referer: http://localhost:3343/csvn/ [Mon Aug 23 09:20:25 2010] [error] [client {IP address}] user {user name}: authentication failure for "/viewvc/": Password Mismatch, referer: http://localhost:3343/csvn/ [

I used my own AD credential and I am very sure the password is correct. I have also used the AD account that I used to bind to AD but still receive the same error.
Attachments

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author markphip (OCN Member)
Full name Mark Phippard
Date 2010-08-23 06:17:21 PDT
Message I do not recall seeing a post where you have listed the values entered into
the configuration. I also recall it being suggested you use the Global
Catalog port of 3268. You replied that it adds a comma, but that is not
true.

In debug mode, the only error you see is still password mismatch?



On 8/23/10 9:13 AM, "Kim Chong" <kimchong_2000 at yahoo dot com> wrote:

> I used the default blanket access rule
> [/]
> *=rw
>
> and used ldap.exe utility to make sure that I could bind to the AD using the
> account that I specified in the LDAP Bind DN but I still could not access the
> repository using AD account.
>
> --------------------​--------------------​--------------
> http://subversion.op​en.collab.net/ds/vie​wMessage.do?dsForumI​d=3&dsMessageId=​38
> 0086
>
> To cancel your subscription to this CollabNet Subversion Admins discussion,
> please e-mail forum3-unsubscribe@s​ubversion.open.colla​b.net.

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-23 06:13:14 PDT
Message I used the default blanket access rule
[/]
*=rw

and used ldap.exe utility to make sure that I could bind to the AD using the account that I specified in the LDAP Bind DN but I still could not access the repository using AD account.

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author markphip (OCN Member)
Full name Mark Phippard
Date 2010-08-23 05:53:31 PDT
Message On 8/23/10 8:19 AM, "Kim Chong" <kimchong_2000 at yahoo dot com> wrote:

> Can you shed some lights as to how to grant AD user access to repository?

Have you successfully configured LDAP yet? Get it working with just the
blanket access rule first.

[/]
*=rw

Mark

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-23 05:19:42 PDT
Message Mark,

Can you shed some lights as to how to grant AD user access to repository?

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author jrepenning (OCN Member)
Full name Jack Repenning
Date 2010-08-21 15:01:32 PDT
Message On Aug 20, 2010, at 5:57 PM, Kim Chong wrote:

> That's one step further but that doesn't address the initial problem: accessing the repositories using LDAP credential. Do you think I need to define the AD access rights in the "Access Rules"?

Yes, your Access Rules definitely need to grant whatever rights you need. If you try to access the Subversion repositories using an account that does not have any rights in the Access Rules, then you will definitely be forbidden. I wouldn't think the specific error would be the one you're seeing here, but maybe I'm wrong about that.

As shipped, the access rules grant everyone both read and write access, which should be quite enough. But if you've narrowed that down, it might possibly be the explanation for your problems.

-==-
Jack Repenning
Chief Technology Officer
CollabNet, Inc.
8000 Marina Boulevard, Suite 600
Brisbane, California 94005
office: +1 650.228.2562
twitter: http://twitter.com/jrep

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-20 17:57:29 PDT
Message Hi Jack,

I checked the box and I was able to access the repository using the Edge admin account through the browswer and Tortoise svn client.

That's one step further but that doesn't address the initial problem: accessing the repositories using LDAP credential. Do you think I need to define the AD access rights in the "Access Rules"?

I truly appreciate your help and patience!

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author jrepenning (OCN Member)
Full name Jack Repenning
Date 2010-08-20 17:10:49 PDT
Message On Aug 20, 2010, at 12:56 PM, Kim Chong wrote:

> If you goto the "Status" button, you will find those two links there. Clicking on the link will open up a browser prompting the user to logon.

On the "Administration -> Subversion Server Settings -> Authentication" tab, do you have on or off the setting "Local authentication against an htpasswd file along with other providers"?

Here's why I ask. Looking at your story quoted just above, I think the details go like this:

1. You are logged in to the Subversion Edge console as some user with administrative rights.
2. As we've noted, that means the account by which you're administering is an Edge account, not an LDAP one (because LDAP accounts aren't allowed to administer)
3. If the option I mention above is off (unchecked), then this Edge/admin account does not have any rights within Subversion (that, I believe, is what this check box means)
4. So, when you click the link, as this Edge/admin user, you lack the rights to see that page.
5. This causes Subversion to ask you for some *other* credentials (this is standard Subversion behavior).

By contrast, in my set-up, I have the "Local auth ... along with ..." box _checked_, and the Repository Access Rules allow the user "admin" full "rw" access to all repositories. So, when *I* click those links you mention, I do *not* get a credentials prompt, I just see files.

If that's right (if checking the box enables you to click the links and see the files), you might reconsider whether you really do want to blockade the admin out of the repositories (although that's not your primary problem).

And as regards your primary problem, it would be helpful if you'd try a Subversion operation using a true Subversion client, outside the browser context.

-==-
Jack Repenning
Chief Technology Officer
CollabNet, Inc.
8000 Marina Boulevard, Suite 600
Brisbane, California 94005
office: +1 650.228.2562
twitter: http://twitter.com/jrep

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-20 12:56:18 PDT
Message I know what you meant... "Password Mismatch" is what is being displayed in the error log. The real issue is I am not able to logon using AD credentials.

That was a typo... it should be dc=, not dc- :-(

If you goto the "Status" button, you will find those two links there. Clicking on the link will open up a browser prompting the user to logon. I have tried with domain\{user name} or simply with {user name}. I know I may have typed the password wrong occassionally but not with an account with simple password. And I am absolutely sure taht I typed in the correct user name. It was the domain account credential that it found to have "Password Mismatch".

Re: Subversion Edge - Ldap Issue Re: Subversion Edge - Ldap Issue

Author jrepenning (OCN Member)
Full name Jack Repenning
Date 2010-08-20 12:32:22 PDT
Message On Aug 20, 2010, at 11:53 AM, Kim Chong wrote:

> These are the option in the Role List and it appears to me that they are for console and repositories administration.

"Administration," yes, absolutely.

"Use," not so much.

> In the Repository Access Rules, I defined it as below:
> [/]
> * = rw
>
> and then I specified to use only "LDAP authentication against an LDAP server". This configuration should allow any domain users access to the repositories

Agree.

> but I kept getting "SA\\kim.chong: authentication failure for "/viewvc/stanley/": Password Mismatch, referer:http://localhost:334​3/csvn/repo/list" in the error log.

Nothing in what you quote above has anything to do with "Password Mismatch." I'm not sure why you're mentioning all these things in the same post (indeed, in several posts of this thread). Maybe you're just being thorough?

As Mark just mentioned, there are two "passwords" involved in the use you describe: the "LDAP Bind Password", and the password for the particular account you want to use to access Subversion. The message you report is not clear as to which of the two is actually failing. (This is actually common in security contexts: if someone really is trying to break into your system by guessing user names and passwords, it's better if you don't give them extra hints: "The user name you used is good, but the password wasn't quite right" would be entirely too helpful!)

As Mark basically assumed and implied, but perhaps did not mention explicitly, sometimes a "bad password" message really means "bad user name." Partly, this is more of the necessary paranoia of a security system, as I just mentioned; partly it's simple necessity: given that the user-name plus password are wrong, it may not even be answerable which should be changed to match intentions. So we really have four things that might be wrong (or even, some combination of them). Given that the LDAP system is, quite properly, responding in proper (paranoid) security fashion, this gives us quite a diverse list of things to check.

My eye is drawn to your LDAP base DN configuration as "dc-domain,dc=com" (you actually wrote "dc-domain"; no doubt that typo only arose in the forum, not the configuration, but just for the record: if that typo is actually in the configuration, that could be the problem here!) You also said "when prompted for identity, I provided domain\{user name}." Are those two "domains" the same? That would be redundant, and could be the problem. Concretely, my own identity within my corporate LDAP can be expressed as

  DC=sp,DC=corp,DC=collab,DC=net
  user-name: jrepening

or

  DC=corp,DC=collab,DC=net
  user-name: sp\jrepening

but if "sp" is in both places, that fails. Is there some confusion of that sort in your case, either for the base DN or the user access?

Taking another slant: you also report:

> I tried to logon to access the repository:
> https://server.domai​​n.com/viewvc/ and
> https://cl-s-sv-1.st​​anleyassociates.com​/​svn/

Was that "try" done with a browser, or a Subversion client? (The expected answer is "Subversion client"; browser access to those URLs is neither useful nor normal, but could result in the experiences you mention if certain other things are misconfigured. Tell me it was a Subversion client, and we can avoid going down that other rat-hole ;-)

RE: Subversion Edge - Ldap Issue RE: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-20 12:16:04 PDT
Message Hi Adam,

Thanks for the link.
I have seen and referred to this link before. My GUI configuration is correct. It also says using port 3268 to query Global Catalog but when you entered 3268 as the port number in the "LDAP Server PORT", it places a comma right after 3 and as a result the svn server wont' start.

Are you able to make it work? if you do, please share your experience.

Thanks.

RE: Subversion Edge - Ldap Issue RE: Subversion Edge - Ldap Issue

Author aambrose (OCN Member)
Full name Adam Ambrose
Date 2010-08-20 12:07:04 PDT
Message On Fri, 2010-08-20 at 11:22 -0700, Kim Chong wrote:

> Btw, the blog link is broken.
>

I'm no expert on the LDAP side, but can at least help out here: the
link URL got split into multiple lines. Try this instead:

http://bit.ly/bCCvx4

-Adam

RE: Re: Subversion Edge - Ldap Issue RE: Re: Subversion Edge - Ldap Issue

Author kimchong (OCN Member)
Full name Kim Chong
Date 2010-08-20 11:53:43 PDT
Message Hi Jack,
These are the option in the Role List and it appears to me that they are for console and repositories administration.

Id Authority Description
1 ROLE_ADMIN Super/Root Administrator (Full Privileges)
2 ROLE_USER Basic User Authority, required for console access
3 ROLE_ADMIN_SYSTEM System/Server Administrator
4 ROLE_ADMIN_REPO Repositories Administrator
5 ROLE_ADMIN_USERS User Account Administrator
 
 
In the Repository Access Rules, I defined it as below:
[/]
* = rw

and then I specified to use only "LDAP authentication against an LDAP server". This configuration should allow any domain users access to the repositories but I kept getting "SA\\kim.chong: authentication failure for "/viewvc/stanley/": Password Mismatch, referer: http://localhost:334​3/csvn/repo/list" in the error log.

Thanks for your feedback.
Page: of 2 « Previous | Next »
Messages per page: