We configured Apache to manage SVN authorization, and Apache does that by connecting to windows Open Directory over Ldap.
We’ve got “Access to … failed” problem after svn server upgrade. Our configurations were fine, they worked before upgrade. Apache restart helps for about one day. What causes the problem? How it can be solved?

Our configuration: active directory, Ldap, Apache, svn, Linux

Our users are managed by windows server. LDAP protocol is between windows and Apache. Subversion access is controlled through Apache. All Apache is under CentOS.
In apache configuration (httpd.conf -> ssl.conf + svn.conf) we have somewhat along the lines:

<Location /rep1>
DAV svn
SVNPath /path/to/repo/rep1
 
Order allow,deny
allow from $IP_MASK_1
allow from $IP_MASK_2
 
AuthType Basic
AuthName Svn
AuthLDAPUrl "ldap://url here... )"
AuthLDAPBindDN "cn=ldap user here..."
AuthLDAPBindPassword "ldap pass here"
AuthLDAPGroupAttribute member
 
require ldap-group cn=user must be a member of...
 
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
</Location>

How svn mod Apache decides to allow user access to svn path

Let us presume that the user “foo” with password “bar” wants to get access to the path /path/to/repo/rep1/branch/ohmygot.

Using Apache it will be handled in (at least) three steps:

Is your IP authorized

allow from $IP_MASK_1
allow from $IP_MASK_2

only people with matching? IP’s are admitted. If that check fails, other checks won’t even start.
 
Authentication phase
Does user “foo” with password “bar” exist? This question will be sent through LDAP to the windows server, where users are manged.
AuthBasicProvider ldap tells Apache that LDAP should handle the BASIC.
 
Authorization phase
Does the existing user “foo” has the right to read access /path/to/repo/rep1/branch/ohmygot?

Here we not only require that user belongs to specified group require ldap-group cn=user must be a member of..., we also say that LDAP is not the only instance to decide about that AuthzLDAPAuthoritative off. So, if LDAP doesn’t authorize the user, it just handles the question to the next module, if there is any.

Here is the full info: http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

What does the error mean

The error means that the require, probably our require ldap-group is there, but the instance, which should handle it, is not available for this request.

Fixing…

For now we have only speculations…

No trivial fix did help us. There is a suggestion to have AuthzLDAPAuthoritative off but in our case it was already off.

Restart of Apache gives us about one day without this problem, then it start all over again.
That makes us think that following happens: the authorized users are cached on apache server side and some users from the cache after some time are not recognized by active directory.

Where is Authoritative handler?

The first thing we presume here is that we face a LDAP bug. I guess we will know in some time if it was indeed the case…

There is also an interesting theory:

AuthLDAPAuthoritative must be off to allow mod_auth_ldap to decline group authentication so that Apache will fall back to file authentication for checking group membership…
(From Apache)
And what if we have nothing Apache can fall back to.

  Oh, and maybe the Apache mod_authnz_ldap source will help…

http://apache.wirebrain.de/lxr/source/modules/aaa/mod_authnz_ldap.c?v=2.3-trunk

Maybe you could fix it? Let me know!