Subversion Server Using Active Directory error

Question

I am using apache subversion running on linux 7. from front end i am using tortoise svn. I am trying to integrate my subversion with current AD. For which i have opened /etc/httpd/conf.d directory and given below details in subversion.conf file. Details are mentioned below

<location /svn>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://100.100.10.2:388/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)memberOf=CN=OBIEE_Admin,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))"
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global Resources,DC=MACGROUP,DC=LOCAL"
AuthLDAPBindPassword welcome123@
Require valid-user
</location>

With above conf file details, when i am trying open the folders under /u01/ciroot/subversion, i am prompting the user password dialog box but when giving correct user of this group, it is not authenticating and giving below error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

But when i am editing this file as below then it is working fine.

<location /svn>
DAV svn
SVNParentPath /u01/ciroot/subversion
AuthType Basic
AuthBasicProvider ldap
AuthName "Root Repo"
AuthLDAPURL "ldap://100.100.10.2:388/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*))"
AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global Resources,DC=MACGROUP,DC=LOCAL"
AuthLDAPBindPassword welcome123@
Require valid-user
</location>

Can someone please help me where i am getting wrong when adding group it is failing.

Regards

score 1 · Answer 1 · answered Nov 11 '18 at 14:29

1

There is a parenthesis missing in the LDAP filter. Each attr=value pair needs to be enclosed in parenthesis. The string should read:

"ldap://100.100.10.2:388/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_Admin,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" None

Replacing the "None" with "STARTTLS" if you want to encrypt the communication after connection. I generally start with clear text & get everything else sorted before moving over to an encrypted connection. Then any failure can be isolated to certificate/trust issues.

I would expect the clear text LDAP port to be 389 ... but if authentication is working without the filter, then there must be an unusual port mapping / port bound to the directory service.

If authentication still fails, you might try capturing the network traffic to your LDAP server on the specified port. This will show you the exact LDAP query that is being made and the response from the directory server.

answered Nov 11 '18 at 14:29

LisaJ

1,666
1
12
18

Hi LisaJ..thanks for replying. I added the paranthesis and also my port is 389, i was typed mistakenly to 388. But after i made changes on the suggestion you suggested and restarted the apache and now trying to access the repository. It is asking me for user password and when providing the user password i am getting below error – Amit Prasad Nov 12 '18 at 07:37
error is Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log. – Amit Prasad Nov 12 '18 at 07:40
i tried it with user part of this group but got error as below "AH01695: auth_ldap authenticate: user auser authentication failed; URI /svn/EBSRepo/ [LDAP: ldap_start_tls_s() failed][Connect error]" . This auser is there in LDAP but still i am getting this error. Any suggestion to this – Amit Prasad Nov 12 '18 at 09:22
please share your observation on this – Amit Prasad Nov 13 '18 at 08:36
Below is my subversion.conf file located in /etc/httpd/conf.d path DAV svn SVNParentPath /u01/ciroot/subversion AuthType Basic AuthBasicProvider ldap AuthName "Root Repo" AuthLDAPURL "ldap://ldap.server.com:389/DC=macgroup,DC=local?sAMAccountName?sub?(&(ObjectClass=*)(memberOf=CN=OBIEE_Admin,OU=OBIEE,OU=Security,OU=Groups,OU=Global Resources,DC=MACGROUP,DC=LOCAL))" STARTTLS AuthLDAPBindDN "CN=oidkerbt,OU=Service Accounts,OU=Users,OU=Global Resources,DC=macgroup,DC=local" AuthLDAPBindPassword password_of_ldap_server Require valid-user – Amit Prasad Nov 13 '18 at 08:37
The error indicates "ldap_start_tls_s() failed" -- which is *generally* a certificate trust issue. I always set up my LDAP client connections using clear text first, get everything sorted, then switch over to STARTTLS or LDAPS. IIRC, you've got to have the signing CA's base64 encoded public key stored somewhere & add it to LDAPTrustedGlobalCert – LisaJ Nov 13 '18 at 14:19
thank you. I didnot do anything but it started working. I am wondering why it was not working even though i was passing correct user password. – Amit Prasad Nov 14 '18 at 06:58

Subversion Server Using Active Directory error

1 Answers1