We use LDAP for Subversion access using Apache httpd. We originally had all of our Subversion repositories accessible by all users using the following:
<Location /src>
DAV svn
SVNParentPath /opt/svn_repos
AuthType basic
AuthName "SVN Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_acct,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require valid-user
</Location>
Everything was fine. I was asked to move the CM repository to a different location, and make it accessible for only people in the CM group. I did the following:
<Location /cm>
DAV svn
SVNPath /opt/cm_svn_repos
AuthType basic
AuthName "CM Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_acct,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require group CN=cm-group,OU=Groups,DC=mycorp,DC=com
</Location>
I spent a couple of hours on this before realizing that I was using mod_authnz_ldap and not plain ol' mod_auth_ldap. Thus, I needed ldap-group
instead of group
in my Require
statement. That worked.
My coworker informed me that there was a reason why we used mod_authnz_ldap and not mod_auth_ldap, but he couldn't remember why. We looked up the Apache httpd documentation, but the documentation provides no clues why you'd use one over the other.
So, what is the difference between mod_auth_ldap and mod_authnz_ldap, and why would you use one over the other?
Anyone else who came across this question. It has to do with the newer versions of Apache httpd. My confusion stemmed from the changes between version 2.1 and 2.2 of httpd. Since I had Apache 2.2, I was suppose to use the new framework:
mod_auth_ldap
is for Apache versions before 2.2mod_authnz_ldap
is for Apache versions 2.2 and later.Modules in the aaa directory have been renamed and offer better support for digest authentication. For example,
mod_auth
is now split intomod_auth_basic
andmod_authn_file
;mod_auth_dbm
is now calledmod_authn_dbm
;mod_access
has been renamedmod_authz_host
. There is also a newmod_authn_alias
(already removed from 2.3/2.4) module for simplifying certain authentication configurations.
This module is a port of the 2.0 mod_auth_ldap module to the 2.2 Authn/Authz framework. New features include using LDAP attribute values and complicated search filters in the Require directive.
The bundled authentication and authorization modules have been renamed along the following lines:
mod_auth_*
-> Modules that implement an HTTP authentication mechanismmod_authn_*
-> Modules that provide a backend authentication providermod_authz_*
-> Modules that implement authorization (or access)mod_authnz_*
-> Module that implements both authentication & authorization