mod_authnz_ldap: Using userPrincipalName and sAMAccountName with AuthzSVNAccessFile

Question

this is my first post here, so please be kind with me ...

We have apache managing access for our subversion server. Currently users can only log in with their sAMAccountName, but since userPrincipalName (email address) is gradually becoming the main ID for most logins, we would like to support that as well as keeping support for sAMAccountName.

The current approach which looks as follows has the disadvantage that both user names - sAMAccountName and userPrincipalName - have to be speficied in the svnaccessfile:

<AuthnProviderAlias ldap ldap-sAMAccountName>
    AuthLDAPBindDN "CN=d-svn-ldap,OU=IT-050,OU=Service Accounts,OU=Accounts,OU=Domain Administration,DC=cds,DC=company"
    AuthLDAPBindPassword ***
    AuthLDAPUrl "ldap://server.company:3268/DC=cds,DC=company?sAMAccountName?sub?(objectclass=user)"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-userprincipalname>
    AuthLDAPBindDN "CN=d-svn-ldap,OU=IT-050,OU=Service Accounts,OU=Accounts,OU=Domain Administration,DC=cds,DC=company"
    AuthLDAPBindPassword ***
    AuthLDAPUrl "ldap://server.company:3268/DC=cds,DC=company?userPrincipalName?sub?(objectclass=user)"
</AuthnProviderAlias>

<Location "/our_repo">
DAV svn
SVNPath /svn/repos/our_repo
SVNListParentPath on

AuthzSVNAccessFile /etc/apache2/conf-available/authz_repository_our_repo
Options Indexes Followsymlinks

AuthBasicProvider ldap-sAMAccountName  ldap-userprincipalname

AuthType Basic
AuthName "LDAP authentication"
Require valid-user
# Note that Require ldap-* would not work here, since the
# AuthnProviderAlias does not provide the config to authorization providers
# that are implemented in the same module as the authentication provider.
</Location>

So I'm looking for a way to be able to only specify userPrincipalNames in the svnaccessfile. I was hoping that AuthLDAPRemoteUserAttribute might help here, so I added AuthLDAPRemoteUserAttribute userPrincipalName to ldap-sAMAccountName which lead to this message in error.log:

auth_ldap authenticate: REMOTE_USER was to be set with attribute 'userPrincipalName', but this attribute was not requested for in the LDAP query for the user. REMOTE_USER will fall back to username or DN as appropriate.

Is this the right approach? Is this even possible?

Thanks

Flo

Answer 1

Inspired by https://svn.haxx.se/users/archive-2010-04/0011.shtml we gave it another try and found a solution on how to query ldap for two fields:

<AuthnProviderAlias ldap ldap-sAMAccountName>
    AuthLDAPBindDN "CN=d-svn-ldap,OU=IT-050,OU=Service Accounts,OU=Accounts,OU=Domain Administration,DC=cds,DC=company"
    AuthLDAPBindPassword ***
    AuthLDAPRemoteUserIsDN on
    AuthLDAPUrl "ldap://server.company:3268/DC=cds,DC=company?sAMAccountName,userPrincipalName?sub?(objectclass=*)"
    AuthLDAPRemoteUserAttribute userPrincipalName
</AuthnProviderAlias>

The last line turns REMOTE_USER into the content of userPrincipalName.

Since userPrincipalName in our company contains email adresses with some uppercase letters, we have to use the exact same casing of email addresses in the svnaccessfile.

In order to only use userPrincipalName and not what the user entered (REMOTE_USER) we also had to specify AuthLDAPRemoteUserAttribute for the other AutnProviderAlias:

<AuthnProviderAlias ldap ldap-userprincipalname>
    AuthLDAPBindDN "CN=d-svn-ldap,OU=IT-050,OU=Service Accounts,OU=Accounts,OU=Domain Administration,DC=cds,DC=company"
    AuthLDAPBindPassword ***
    AuthLDAPUrl "ldap://server.company:3268/DC=cds,DC=company?userPrincipalName?sub?(objectclass=user)"
    AuthLDAPRemoteUserAttribute userPrincipalName
</AuthnProviderAlias>

We also had to change the order of providers:

AuthBasicProvider ldap-userprincipalname ldap-sAMAccountName  

Side notices: error.log only shows rejections due to ldap results, missing permissions in svnaccessfile do not show up there. Therefore changes in svn accessfile are visible without restarting apache or deleting the browser login.