LDAP Authentication not enforced with certain URLs running websvn

StackOverflow https://stackoverflow.com/questions/14679349

Domanda

I am running a Apache server (2.2.21) on my 32-bit Win7 desktop with a WebSVN 2.3.3 and Subversion 1.5.6.

Here's the problem :

If i were to navigate to http://myservername/websvn, LDAP auth will be enforced and only the users whom i allow in the config file can access it. However, if i were to navigate to http://myservername/WebSvn or /Websvn or even /webSVN, you get the idea, LDAP auth is not enforced and they allow any users, even those not specified in the config file, to enter the same websvn page.

So, how do i go about resolving this issue ?

Update : Here's my websvn.conf file. For security reasons, i have altered it to fit the post here. This particular file is called in the httpd.conf file by inserting the 'Include C:/somehwere/websvn.conf' near the end of the file.

<Location /websvn/> 
    #Redirect any requests to this page to the listing.php
    FallbackResource listing.php

    AuthLDAPBindDN "acct@xxx.com"
    AuthLDAPBindPassword "password"

    #The LDAP query URL
    AuthLDAPURL "ldap://x.x.x.x.x.x:389/DC=x,DC=x,DC=x,DC=x,DC=x?sAMAccountName?sub?(objectClass=user)" NONE

    AuthType Basic
    AuthName "Websvn"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off  

    AuthUserFile /dev/null          
    Require ldap-user user1

</Location>

Update 7/2/2013 : I was informed that should be used instead of and i have done that. The Apache documentation details the difference between and especially under the part, "What to use when". So, i modified the websvn.conv file to reflect this :

<Directory /websvn> 
        DirectoryIndex listing.php

        Options FollowSymLinks

        Order allow,deny
        Allow from all

        AuthLDAPBindDN "acct@xxx.com"
        AuthLDAPBindPassword "password"

        #The LDAP query URL
        AuthLDAPURL "ldap://x.x.x.x.x.x:389/DC=x,DC=x,DC=x,DC=x,DC=x?sAMAccountName?sub?(objectClass=user)" NONE

        AuthType Basic
        AuthName "Websvn"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off  

        Require ldap-user user1 
    </Directory>

However, i still can access my websvn even with the incorrect URL, eg./websVn and furthermore, the authentication does not kick in anymore.

Also, the page listing.php does not show. Instead, the directory listing of websvn is shown.

Can anyone please point out to me what am i doing wrong ? Thank you.

È stato utile?

Soluzione

I have resolved this by converting all incoming URL to lowercase with this line of code in my httpd.conf file.

   RewriteEngine On
   RewriteMap  lc int:tolower
   RewriteCond %{REQUEST_URI} [A-Z]
   RewriteRule (.*) ${lc:$1} [R=301,L]

For the LDAP auth to work too, i had to use the < Location > version of the websvn config file.

However, i am still puzzled as to why < Directory > does not handle case sensitivity even though Apache docs claims it does.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top