Active Directory and Subversion - Fixing the case-sensitive username problem

nospam@example.com (Jason Fried) — Thu, 10 Jun 2010 16:11:44 -0500

If you are running Subversion under Apache HTTPD and you are using the basic ldap provider to connect to Active Directory, then you know that Active Directory will let you authenticate using any case as long as the password matches. Normally this would not be a problem, as most of the time people do not add capitalization to their login names. Where this becomes a problem is when your using an "sn authz" file, which is case-sensitive.

joe.user = rw

this will not match if he logs in with "Joe.User". I became tired of telling people to use only lower-case that I decided to fix the problem for good. I had two possible solutions, patch Subversion or Make a custom authentication provider for Apache. The Apache route sounded easier and not prone to breaking next Subversion update. I already had mod_perl installed so it was quite easy to setup using Apache::AuthenHook.

So first thing you need to do is create a lib folder somewhere to hold your basic provider pm file. I have a pretty organized subversion setup so i just created lib folder in my subversion root.

[jfried@svn01]:/> cat /infrastructure/source/lib/Fried/LDAPProvider.pm
package Fried::LDAPProvider;
use Net::LDAP;
use Apache2::RequestRec;
use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);
use strict;

sub handler {
    my ($r, $user, $password) = @_;
    my $ldap = Net::LDAP->new ('ldaps://DOMAIN') 
                                       or return Apache2::Const::DECLINED;
    my $mesg = $ldap->bind("$user@DOMAIN", password => $password );
    $mesg->code && return Apache2::Const::DECLINED;
    if ($mesg->{resultCode} == 0) {
        $r->user(lc $user);
        return Apache2::Const::OK;
    }
    $ldap->unbind;

    return Apache2::Const::DECLINED;
}
1;

Just Update DOMAIN with your Active Directory Domain name. The important part that fixes the problem is the $r->user(lc $user) which tells Apache what the user name should be.

Now to make Apache make use of this we put the following inside our Apache configuration. Inside your subversion virtual host.

PerlSwitches -I/infrastructure/source/lib
PerlLoadModule Apache::AuthenHook

<Location /repos/>
    DAV svn
    SVNParentPath /infrastructure/source/repos
    ...
    AuthType Basic
    AuthBasicProvider Fried::LDAPProvider
    AuthName "Subversion Repositories"
    Require valid-user
    ...
</Location>

Reload and authz works no mater what case they login with.

nospam@example.com () — Mon, 06 Feb 2012 07:58:23 -0600

JasonFried.info - Subversion

Active Directory and Subversion - Fixing the case-sensitive username problem