I currently have a setup where I work that lets users use their active directory domain logins and passwords to authenticate and authorize access to Subversion. Currently I need to allow application accounts the same access. So our IT group creates application accounts in the active directory for us to use. But they want to be "secure" so they set the "Workstations Allowed"/userWorkstations attribute to be only a limited number of workstations. So when an application account hits the apache2 server for authentication they can't login for some reason and I'm having a heck of a time trying to debug. The error logs only show me:
[Tue Apr 06 11:24:25 2010] [warn] [client 24.24.24.24] [3469] auth_ldap authenticate: user appuser13 authentication failed; URI /svn [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Tue Apr 06 11:24:25 2010] [error] [client 24.24.24.24] user appuser13: authentication failure for "/svn": Password Mismatch
I've checked the password numerous times and it appears to be correct but I can't seem to get the user to authenticate properly. Below is a snippet of the apache configuration for ldap:
# Auth providers
# Active Directory
<AuthnProviderAlias ldap ldap1>
AuthBasicProvider ldap
AuthLDAPURL "ldap://dmain.company.com:389/dc=dmain,dc=company,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=svnuser13,OU=Application Accounts,dc=dmain,dc=teradata,dc=com"
AuthLDAPBindPassword secret3
</AuthnProviderAlias>
# Another set of users from a different group
<AuthnProviderAlias ldap ldap2>
AuthBasicProvider ldap
AuthLDAPURL ldap://diffldapserver:389/dc=specialusers,dc=com?uid
</AuthnProviderAlias>
# Another set of users from a different group
<AuthnProviderAlias file file1>
AuthUserFile /var/svn/auth/htpasswd
</AuthnProviderAlias>
<Location /svn>
DAV svn
SVNPath /var/svn
Satisfy Any
Require valid-user
AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider ldap1 file1 ldap2
AuthzSVNAccessFile /var/svn/auth/access
AuthzLDAPAuthoritative on
Require valid-user
</Location>
Any help, like tips for debugging is appreciated!
I seem to think this might be related to the netbios name resolution. In windows I think it broadcasts and registers this properly but in Linux I know its not the default. So I'm guessing the domain server rejects all requests from this host since it doesn't know it by name. I tried the ldapsearch program in linux and it rejected it, so I tend to think this is the issue. I'm waiting on some others to help me test this locally but I thought I'd throw that out there in case anyone has an opinion on it.
When you're doing LDAP logins, the workstation being logged into is the server providing the LDAP service. To do what you want, you'll have to add
dmain
anddiffldapserver
to the 'allow logins from' tab on those users.Is your apache server in the list of workstations users can logon from?
Assuming that your Apache server is a *nix box, does it have an account in LDAP/AD?
Have you tried logging into an interactive session with that (those) account(s) to get the profile built? (This is a long-shot)