We're using mod_authnz_ldap and mod_authn_alias in Apache 2.2.9 (as shipped in Debian 5.0, 2.2.9-10+lenny7) to authenticate against multiple Active Directory domains for hosting a Subversion repository. Our current configuration is:
# Turn up logging
LogLevel debug
# Define authentication providers
<AuthnProviderAlias ldap alpha>
AuthLDAPBindDN "CN=Subversion,OU=Service Accounts,O=Alpha"
AuthLDAPBindPassword [[REDACTED]]
AuthLDAPURL ldap://dc01.alpha:3268/?sAMAccountName?sub?
</AuthnProviderAlias>
<AuthnProviderAlias ldap beta>
AuthLDAPBindDN "CN=LDAPAuth,OU=Service Accounts,O=Beta"
AuthLDAPBindPassword [[REDACTED]]
AuthLDAPURL ldap://ldap.beta:3268/?sAMAccountName?sub?
</AuthnProviderAlias>
# Subversion Repository
<Location /svn>
DAV svn
SVNPath /opt/svn/repo
AuthName "Subversion"
AuthType Basic
AuthBasicProvider alpha beta
AuthzLDAPAuthoritative off
AuthzSVNAccessFile /opt/svn/authz
require valid-user
</Location>
We're encountering issues with users that have accounts in both Alpha and Beta, especially when their accounts in Alpha are expired (but still present; company policy is that the accounts live on for at a minimum of 1 year). For example, when the user x (which has en expired account in Alpha, and a valid account in Beta), the Apache error log reports the following:
[Tue May 11 13:42:07 2010] [debug] mod_authnz_ldap.c(377): [client 10.1.1.104] [14817] auth_ldap authenticate: using URL ldap://dc01.alpha:3268/?sAMAccountName?sub?
[Tue May 11 13:42:08 2010] [warn] [client 10.1.1.104] [14817] auth_ldap authenticate: user x authentication failed; URI /svn/ [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Tue May 11 13:42:08 2010] [error] [client 10.1.1.104] user x: authentication failure for "/svn/": Password Mismatch
[Tue May 11 13:42:08 2010] [debug] mod_deflate.c(615): [client 10.1.1.104] Zlib: Compressed 527 to 359 : URL /svn/
Attempting to authenticate as a non-existant user (nobodycool) results in the correct behavior of querying both LDAP servers:
[Tue May 11 13:42:40 2010] [debug] mod_authnz_ldap.c(377): [client 10.1.1.104] [14815] auth_ldap authenticate: using URL ldap://dc01.alpha:3268/?sAMAccountName?sub?
[Tue May 11 13:42:40 2010] [warn] [client 10.1.1.104] [14815] auth_ldap authenticate: user nobodycool authentication failed; URI /svn/ [User not found][No such object]
[Tue May 11 13:42:40 2010] [debug] mod_authnz_ldap.c(377): [client 10.1.1.104] [14815] auth_ldap authenticate: using URL ldap://ldap.beta:3268/?sAMAccountName?sub?
[Tue May 11 13:42:44 2010] [warn] [client 10.1.1.104] [14815] auth_ldap authenticate: user nobodycool authentication failed; URI /svn/ [User not found][No such object]
[Tue May 11 13:42:44 2010] [error] [client 10.1.1.104] user nobodycool not found: /svn/
[Tue May 11 13:42:44 2010] [debug] mod_deflate.c(615): [client 10.1.1.104] Zlib: Compressed 527 to 359 : URL /svn/
How do I configure Apache to correctly query Beta if it encounters an expired account in Alpha?
The
AuthzLDAPAuthoritative off
directive will let authentication fall through to the next module only if the user cannot be matched to a DN in the query. Currently even though the user is expired, it seems that their account will still be returned as a result when the LDAP query is performed.I don't know enough about the ActiveDirectory LDAP schema to give a definite answer here, but if you could add a filter to your
AuthLDAPURL
directive that filters out expired accounts it should result in the username not matching any DN in the query. This should result in the authentication falling through to the next module.