linux – Apache 2.4 and LDAP. Basic authentication issues

I’m using CentOS 8 Stream + Apache 2.4 + Subversion.

I want to allow access to SVN only for users who belong to a specific LDAP group (svn-users).

I have the following problems.


case 1. Enter the correct ID / PW as an LDAP user belonging to svn-users

This works as expected.

This user can access SVN.


case 2. Enter the correct ID / PW as an LDAP user that does not belong to svn-users

This does not work as expected.

I expected this user can’t access SVN, but in reality it can.


case3. Enter the wrong LDAP ID / PW

500 Internal Server Error occurs.

For browsers, the Basic authentication dialog does not reappear and the user must restart the browser.


I want to solve cases 2 and 3.

Can anyone help me?

My config and log are below.

(root@my-redmine conf)# cat httpd.conf | egrep -v "^s*#|^$"
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
    LogFormat "%h %l %u %t "%r" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/subversion.conf
(root@my-redmine conf)#
(root@my-redmine conf.d)# cat subversion.conf | egrep -v "^s*#|^$"
<Location /svn/svn-test>
    DAV svn
    SVNPath /usr/local/svn/svn-test
    LogLevel debug

    AuthLDAPBindDN <MyAdmin>
    AuthLDAPBindPassword <MyAdminPassword>
    LDAPReferrals off
    AuthLDAPBindAuthoritative off
    AuthType Basic
    AuthName "Subversion repository(LDAP)"
    AuthBasicAuthoritative off
    AuthUserFile /dev/null
    AuthBasicProvider ldap
    AuthzSVNAccessFile /usr/local/svn/svn-test/authzsvn.conf
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    AuthLDAPUrl ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
    Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local
</Location>
(root@my-redmine conf.d)#
(root@my-redmine conf.d))# httpd -t -M | grep auth
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 authnz_ldap_module (shared)
 authz_svn_module (shared)
(root@my-redmine conf.d))#
(Tue Jul 20 21:56:43.046463 2021) (authz_svn:info) (pid 195900:tid 140586535274240) (client 192.168.100.120:61050) Access granted: - GET (null)
(Tue Jul 20 21:56:43.046514 2021) (authz_core:debug) (pid 195900:tid 140586535274240) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:56:43.046519 2021) (authz_core:debug) (pid 195900:tid 140586535274240) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.339879 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.339918 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.339927 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(523): (client 192.168.100.120:61050) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:56:45.343581 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(620): (client 192.168.100.120:61050) AH01697: auth_ldap authenticate: accepting svnuser
(Tue Jul 20 21:56:45.343608 2021) (authz_svn:info) (pid 195900:tid 140586518488832) (client 192.168.100.120:61050) Access granted: 'svnuser' GET (null)
(Tue Jul 20 21:56:45.343845 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343852 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343858 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(523): (client 192.168.100.120:61050) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:56:45.343869 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(620): (client 192.168.100.120:61050) AH01697: auth_ldap authenticate: accepting svnuser
(Tue Jul 20 21:56:45.343876 2021) (authz_svn:debug) (pid 195900:tid 140586518488832) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:61050) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:56:45.343905 2021) (authz_svn:info) (pid 195900:tid 140586518488832) (client 192.168.100.120:61050) Access granted: 'svnuser' GET svn-test:/branches
(Tue Jul 20 21:56:45.343929 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343942 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343946 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(523): (client 192.168.100.120:61050) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:56:45.343953 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(620): (client 192.168.100.120:61050) AH01697: auth_ldap authenticate: accepting svnuser
(Tue Jul 20 21:56:45.343958 2021) (authz_svn:debug) (pid 195900:tid 140586518488832) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:61050) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:56:45.343961 2021) (authz_svn:info) (pid 195900:tid 140586518488832) (client 192.168.100.120:61050) Access granted: 'svnuser' GET svn-test:/tags
(Tue Jul 20 21:56:45.343974 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343977 2021) (authz_core:debug) (pid 195900:tid 140586518488832) mod_authz_core.c(820): (client 192.168.100.120:61050) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:56:45.343980 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(523): (client 192.168.100.120:61050) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:56:45.343987 2021) (authnz_ldap:debug) (pid 195900:tid 140586518488832) mod_authnz_ldap.c(620): (client 192.168.100.120:61050) AH01697: auth_ldap authenticate: accepting svnuser
(Tue Jul 20 21:56:45.343991 2021) (authz_svn:debug) (pid 195900:tid 140586518488832) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:61050) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:56:45.343994 2021) (authz_svn:info) (pid 195900:tid 140586518488832) (client 192.168.100.120:61050) Access granted: 'svnuser' GET svn-test:/trunk
(Tue Jul 20 21:55:55.187406 2021) (authz_svn:info) (pid 195900:tid 140586669557504) (client 192.168.100.120:56967) Access granted: - GET (null)
(Tue Jul 20 21:55:55.187474 2021) (authz_core:debug) (pid 195900:tid 140586669557504) mod_authz_core.c(820): (client 192.168.100.120:56967) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:55:55.187484 2021) (authz_core:debug) (pid 195900:tid 140586669557504) mod_authz_core.c(820): (client 192.168.100.120:56967) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:55:58.763087 2021) (authz_core:debug) (pid 195900:tid 140586635986688) mod_authz_core.c(820): (client 192.168.100.120:56967) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:55:58.763150 2021) (authz_core:debug) (pid 195900:tid 140586635986688) mod_authz_core.c(820): (client 192.168.100.120:56967) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:55:58.763159 2021) (authnz_ldap:debug) (pid 195900:tid 140586635986688) mod_authnz_ldap.c(523): (client 192.168.100.120:56967) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:55:58.765260 2021) (authnz_ldap:debug) (pid 195900:tid 140586635986688) mod_authnz_ldap.c(561): (client 192.168.100.120:56967) AH01694: auth_ldap authenticate: user svnuser authentication failed; URI /svn/svn-test/ (ldap_simple_bind() to check user credentials failed)(Invalid credentials) (not authoritative)
(Tue Jul 20 21:55:58.765297 2021) (authn_core:error) (pid 195900:tid 140586635986688) (client 192.168.100.120:56967) AH01796: AuthType Basic configured without corresponding module
(Tue Jul 20 21:57:46.345179 2021) (authz_svn:info) (pid 195900:tid 140586577237760) (client 192.168.100.120:61657) Access granted: - GET (null)
(Tue Jul 20 21:57:46.345227 2021) (authz_core:debug) (pid 195900:tid 140586577237760) mod_authz_core.c(820): (client 192.168.100.120:61657) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:57:46.345231 2021) (authz_core:debug) (pid 195900:tid 140586577237760) mod_authz_core.c(820): (client 192.168.100.120:61657) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.242776 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.242818 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.242828 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(523): (client 192.168.100.120:51105) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:57:52.242843 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(620): (client 192.168.100.120:51105) AH01697: auth_ldap authenticate: accepting not-svnuser
(Tue Jul 20 21:57:52.242854 2021) (authz_svn:info) (pid 195902:tid 140586619234048) (client 192.168.100.120:51105) Access granted: 'not-svnuser' GET (null)
(Tue Jul 20 21:57:52.243059 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243069 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243074 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(523): (client 192.168.100.120:51105) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:57:52.243080 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(620): (client 192.168.100.120:51105) AH01697: auth_ldap authenticate: accepting not-svnuser
(Tue Jul 20 21:57:52.243104 2021) (authz_svn:debug) (pid 195902:tid 140586619234048) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:51105) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:57:52.243190 2021) (authz_svn:info) (pid 195902:tid 140586619234048) (client 192.168.100.120:51105) Access granted: 'not-svnuser' GET svn-test:/branches
(Tue Jul 20 21:57:52.243215 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243220 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243224 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(523): (client 192.168.100.120:51105) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:57:52.243231 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(620): (client 192.168.100.120:51105) AH01697: auth_ldap authenticate: accepting not-svnuser
(Tue Jul 20 21:57:52.243235 2021) (authz_svn:debug) (pid 195902:tid 140586619234048) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:51105) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:57:52.243238 2021) (authz_svn:info) (pid 195902:tid 140586619234048) (client 192.168.100.120:51105) Access granted: 'not-svnuser' GET svn-test:/tags
(Tue Jul 20 21:57:52.243248 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of Require ldap-group cn=svn-users,ou=Groups,dc=my,dc=svn,dc=local: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243251 2021) (authz_core:debug) (pid 195902:tid 140586619234048) mod_authz_core.c(820): (client 192.168.100.120:51105) AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
(Tue Jul 20 21:57:52.243254 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(523): (client 192.168.100.120:51105) AH01691: auth_ldap authenticate: using URL ldap://192.168.100.110/ou=People,dc=my,dc=svn,dc=local?uid
(Tue Jul 20 21:57:52.243261 2021) (authnz_ldap:debug) (pid 195902:tid 140586619234048) mod_authnz_ldap.c(620): (client 192.168.100.120:51105) AH01697: auth_ldap authenticate: accepting not-svnuser
(Tue Jul 20 21:57:52.243265 2021) (authz_svn:debug) (pid 195902:tid 140586619234048) subversion/mod_authz_svn/mod_authz_svn.c(450): (client 192.168.100.120:51105) Path to authz file is /usr/local/svn/svn-test/authzsvn.conf
(Tue Jul 20 21:57:52.243274 2021) (authz_svn:info) (pid 195902:tid 140586619234048) (client 192.168.100.120:51105) Access granted: 'not-svnuser' GET svn-test:/trunk