[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Patch for support ldap group in mod authz.

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-07-06 13:34:36 CEST

Hi Cong,

thanks for sharing this patch, it's really interesting. I didn't review it
thoroughly yet, I just have some high-level questions and remarks:

- What new functionality does this patch provide? If I understand your example
correctly the function is: 'If this account is part of atleast this LDAP group,
then allow r/w access for a project/path'. Right?
- When do you do the LDAP lookup, for each request? Apache already does an LDAP
lookup for the authentication part (password validation), so this will have a
negative performance impact.
- Why don't you use the already defined AuthzLDAPURL and AuthzDAPBindDN
commands?
- I see you copy large parts of existing code from mod_auth_ldap.c. Why do you
do that? If you need that functionality, use the existing functions are extract
common functionality in a new function.

To which branch & reversion of the Subversion code did you make the patch? Do
you use this already in a test/production system?

I'd suggest before adding new functionality to the authn/authz mechanism of
Subversion we gather requirements and make a design proposal. As far as I'm
concerned, integration with enterprise architecture for authz is one of the
weak spots of Subversion and if we want to tackle that (and I really want that)
we should do it in a structured way.

Not to say that your patch isn't welcome, let's use the opportunity as a
starting point for further discussion.

regards,

Lieven.

Quoting Ngo Van Cong <van_cong.ngo@int-evry.fr>:

> These patches help you to use ldap group in the control access file of
> the module Authz. if you want to use it, you must declare Directive
> AuthzSVNLDAPURL this is the path to ldap server.
> Directive AuthzSVNLDAPBindDN is a bind domain name when you want to
> use defaut group in ldap server(default group=repos name) for this you
> must turn on Directive AuthzSVNLDAPEnableDefaultGroup
>
> Here is my configuration in apache:
> AuthzSVNAccessFile /etc/apache2/access.passwd
> AuthzSVNLDAPURL ldap://localhost/dc=int-evry,dc=fr
> AuthzSVNLDAPEnableDefaultGroup on
> AuthzSVNLDAPBindDN ou=group,dc=int-evry,dc=fr
> AuthzSVNLDAPGroupAttribute memberUid
>
> and in the access.passwd
>
> [projet1:/home/user1]
> @user=r
>
> [groups]
> developers = oberger, benoit, admin
> user = ldap:cn=user,ou=group,dc=int-evry,dc=fr
> in this case, default group=projet1,for reposistory projet1, in ldap server
> have permission rw.
> Regards
> Cong
>
> [SNIPPED VERY LARGE PATCH]

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 6 13:35:06 2006

This is an archived mail posted to the Subversion Dev mailing list.