我们在 Apache 2.2.9(在 Debian 5.0、2.2.9-10+lenny7 中提供)中使用 mod_authnz_ldap 和 mod_authn_alias 来验证多个 Active Directory 域以托管 Subversion 存储库。我们目前的配置是:
# Turn up logging
LogLevel debug
# Define authentication providers
<AuthnProviderAlias ldap alpha>
AuthLDAPBindDN "CN=Subversion,OU=Service Accounts,O=Alpha"
AuthLDAPBindPassword [[REDACTED]]
AuthLDAPURL ldap://dc01.alpha:3268/?sAMAccountName?sub?
</AuthnProviderAlias>
<AuthnProviderAlias ldap beta>
AuthLDAPBindDN "CN=LDAPAuth,OU=Service Accounts,O=Beta"
AuthLDAPBindPassword [[REDACTED]]
AuthLDAPURL ldap://ldap.beta:3268/?sAMAccountName?sub?
</AuthnProviderAlias>
# Subversion Repository
<Location /svn>
DAV svn
SVNPath /opt/svn/repo
AuthName "Subversion"
AuthType Basic
AuthBasicProvider alpha beta
AuthzLDAPAuthoritative off
AuthzSVNAccessFile /opt/svn/authz
require valid-user
</Location>
对于同时拥有 Alpha 和 Beta 帐户的用户,我们遇到了问题,尤其是当他们的 Alpha 帐户已过期(但仍然存在;公司政策是帐户的有效期至少为 1 年)。例如,当用户x(在Alpha中已过期,在Beta中为有效账户)时,Apache错误日志报告如下:
[Tue …active-directory ldap authentication apache-2.2 mod-authn-alias
我一直在尝试使用 Apache 2.2.3 设置冗余 LDAP 服务器。
/etc/httpd/conf.d/authn_alias.conf
<AuthnProviderAlias ldap master>
AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
<AuthnProviderAlias ldap slave>
AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
/etc/httpd/conf.d/authz_ldap.conf
#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
<Location />
AuthBasicProvider master slave
AuthzLDAPAuthoritative Off
AuthType Basic
AuthName "Authorization required"
AuthzLDAPMemberKey member
AuthUserFile /home/setup/svn/auth-conf
AuthzLDAPSetGroupAuth user
require valid-user
AuthzLDAPLogLevel error
</Location>
</IfModule>
如果我理解正确,mod_authz_ldap如果第一台服务器关闭或 OpenLDAP …