svn - Subversion Apache2.2 LDAPS authentication failed -

-

os: redhat linux subversion: 1.5.0 apache: 2.2.17

httpd.conf:

ldapsharedcachesize 200000 ldapcacheentries 1024 ldapcachettl 600 ldapopcacheentries 1024 ldapopcachettl 600  <location /svn> dav svn svnparentpath /home/svnroot/repository authzsvnaccessfile /home/svnroot/repository/svn_access_file authtype basic authbasicprovider ldap authzldapauthoritative off authldapurl "ldaps://master.ldap.ebupt.com:636/ou=staff,dc=ebupt,dc=com?uid?sub?(objectclass=*)" ss l authname "subversion.resository" require valid-user </location>

apache error_log:

[thu feb 24 16:48:00 2011] [debug] mod_authnz_ldap.c(403): [client 10.1.85.181] [25242] auth_ldap uthenticate: using url ldaps://master.ldap.ebupt.com:636/ou=staff,dc=ebupt,dc=com?uid?sub?(objectcl ass=*) [thu feb 24 16:48:00 2011] [info] [client 10.1.85.181] [25242] auth_ldap authenticate: user jinjian kang authentication failed; uri /svn [ldap: ldap_simple_bind_s() failed][can't contact ldap server]

ping master.ldap.ebupt.com ok.

my ftp ldaps authentication ok below:

server:master.ldap.ebupt.com port:636 enable ssl:checked base dn:ou=staff,dc=ebupt,dc=com anonymous:checked search filter:(objectclass=*) user dn attribute:uid search scope:subtree

thanks.

"can't contact ldap server" can mean bunch of things, if ldap server reachable , you're using simple bind on ssl here, means apache doesn't trust certificate ldap server presenting.

you need tell apache certificate can create ssl connection.

this section of apache docs need: http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#usingssltls

the best way obtain ca certificate ca signed certificate on ldap servers, , use ldaptrustedglobalcert directive. example, 1 of boxes:

ldaptrustedglobalcert cert_base64 /etc/openldap/cacerts/cacert.pem

how go obtaining ca cert varies; ldap servers running certs signed our own ca, can ca cert. setup may different; consult whoever looks after ldap server.

you can obtain certificate ldap server presents using openssl tools:

openssl s_client -connect your.ldap.host:636 2>&1 | sed -ne '/-begin certificate-/,/-end certificate-/p'

that'll display certificate. copy (including begin certificate , end certificate) file.

now add directive:

ldaptrustedglobalcert cert_base64 /path/to/your/cert/file

to top of apache configuration. restart apache, , you're done.


Comments

Post a Comment

Popular posts from this blog

linux - Mailx and Gmail nss config dir -

-
i trying send mail linux command line using mailx command. can send local domain no problem want set mail send gmail account receive mail sent gmail account. after configuring mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore } i error: resolving host smtp.gmail.com . . . done. connecting 74.125.25.109 . . . connected. missing "nss-config-dir" variable. "/home/username/dead.letter" 11/354 . . . message not sent. after looking "nss-config-dir" here , located certn.db , keyn.db files , added mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore set nss-config-dir=/home/user/.mozilla/firefox/location.default } now when try send mail using command: echo "sent gmail account" | mailx -v -a
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more