13

We're using Apache with mod_svn to serve the subversion repo. Apache is hooked to an LDAP server so all users can use their domain passwords. For the build machine to be able to checkout, I want to have an extra user, but I can't add via LDAP.

Can I create a setup where the user/pwd has to match either the LDAP server or an htpasswd file?

noamtm
  • 339
  • 1
  • 3
  • 11

2 Answers2

10

try this:

AuthType Basic
AuthName "LDAP and file
AuthBasicProvider file ldap
AuthUserFile /path/to/htpassword/file
AuthLDAPBindDN <your bind dn>
AuthLDAPBindPassword <your password>
AuthLDAPURL "<your ldap url>"
AuthzLDAPAuthoritative off
Require valid-user
Satisfy any

Perhaps you switch AuthBasicProvider file ldap to AuthBasicProvider ldap file, depending on where you want to search first.

rbolkey
  • 3
  • 2
Christian
  • 4,645
  • 2
  • 23
  • 27
  • 1
    FWIW, "Satisfy any" in the conf resulted in no auth at all, when I tried it. Removing "Satisfy any" yields expected/desired results, though. – Keith Mar 26 '18 at 16:16
2

If you also need to check for the user being in a specific LDAP-group, you can use the following:

AuthType Basic
AuthName "LDAP and file"
AuthBasicProvider file ldap
AuthUserFile /path/to/htpassword/file
AuthLDAPBindDN <your bind dn>
AuthLDAPBindPassword <your password>
AuthLDAPURL "<your ldap url>"
AuthzLDAPAuthoritative off

AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
Require valid-user
Require ldap-group cn=svn,cn=groups,dc=ldapsvr,dc=example,dc=com
slm
  • 7,355
  • 16
  • 54
  • 72
Frank Schubert
  • 21
  • 1
  • 2
    (I know this is 5 years old but it seems wrong) As per the documentation, all Require directoves are considered to be part of a RequireAny block if not in a block. Using this, your `Require ldap-group` is ignored – mveroone Nov 15 '18 at 13:37