Hello,
First let me say I posted this originally on the users list, but did not
have any responses. This is a rather critical issue for us and I am
sincerely hoping someone on this list can help. Our end goal is to have
a Subversion repository, accessed using Apache, whose authentication
goes against LDAP and authorization ideally goes against LDAP group
membership (ie allow path /x/y/z if user in LDAP group1) but we would be
open to use mod_authz_svn (and scripting the group names/membership from
LDAP to keep the two in sync).
I am posting to this group because I am seeing an unexpected (to me at
least) additional COPY. Full details below, but essentially if I am
copying /a/b/c1 to /a/b/c2 I see a copy from /a/b/c1 to /a/b/c2 which
successfully passes authorization; yet, I then see a copy from /a/b/c2
to /a/b/c2 which fails.
I would appreciate any insight you could offer.
We are using mod_authz_ldap to authenticate our users and mod_authz_svn
to authorize them. Subversion 1.3.1 running on Red Hat Enterprise Linux
3 and Apache 2.0.46.
What I can see is that authentication is working fine and the user is
being identified by mod_authz_svn correctly. Authorization is working
fine for everything except the COPY operation, and thus MOVE and RENAME
as well (since these attempt copies at some point).
Here is the attempt:
svn copy -m 'testing' --username user123 --password mySecret
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"
Here is an excerpt from a failed COPY (note how the user is correctly
identified and then failed as 'null' when SVN tries to copy the new
files name to itself ... weird ...):
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' PROPPATCH repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
GET repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' DELETE repo:
[Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
standard shutdown(server server.abc.com:443, client 127.0.0.1)
And here is the corresponding mod_authz_svn ACL file:
# Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
[groups]
repo_SVN Administrator = user123, user789
repo_SVN Architecture = user123, user456
[repo:/]
* = r
@repo_SVN Administrator = rw
[repo:/Common/Architecture]
@repo_SVN Architecture = rw
Additionally, here is the apache subversion.conf file:
# Load Subversion Modules
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn/repo>
DAV svn
SVNPath /shared/subversion/repos/abc
SVNIndexXSLT "/arch-svnindex.xsl"
SSLRequireSSL
AuthzLDAPMethod ldap
AuthzLDAPAuthoritative off
AuthzSVNAuthoritative on
AuthType Basic
AuthName "LDAP"
AuthzLDAPServer 127.0.0.1:10636
AuthzLDAPLogLevel debug
AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
AuthzLDAPGroupKey cn
AuthzLDAPGroupScope base
AuthzLDAPMemberKey uniquemember
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>
Please note that the log excerpt above is the result of the single copy
command ... why does it attempt to copy from old to new (expected) but
then also after that from new to new?
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 3 19:40:38 2006