Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)

From: Brian Brophy <brianbrophy_at_email.com>
Date: 2006-08-12 14:21:21 CEST

I have now tried "Require ldap-user" and unfortunately it still results
in the same issue.

Here if the command run:
svn copy -m "testing"
"https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup"
"https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup3"
--username abc_user1 --password myPass

Here is the resulting ssl_error_log entries (shows more info ... note
this was isolated to a test server where the command above was the only
request sent in and below are all log entries from that command):
[Sat Aug 12 08:09:52 2006] [info] Connection to child 7 established
(server server.corp.net:443, client 127.0.0.1)
[Sat Aug 12 08:09:52 2006] [info] Seeding PRNG with 136 bytes of entropy
[Sat Aug 12 08:09:53 2006] [info] Initial (No.1) HTTPS request received
for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.2) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.3) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.4) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.5) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.6) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.7) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.8) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.9) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.10) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.11) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.12) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.13) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.14) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
OPTIONS abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.15) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
MKACTIVITY abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.16) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.17) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.18) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
CHECKOUT abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.19) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPPATCH abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.20) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.21) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [error] [client 127.0.0.1] [21687] no password?
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.22) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' CHECKOUT abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.23) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'(null)' GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.24) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.25) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.26) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' COPY abc:/Common/Architecture/Publish/Working/hotBackup
abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:54 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY abc:/Common/Architecture/Publish/Working/hotBackup3
abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:54 2006] [info] Subsequent (No.27) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' DELETE abc:
[Sat Aug 12 08:09:54 2006] [info] Connection to child 7 closed with
standard shutdown(server server.corp.net:443, client 127.0.0.1)

Here is the current subversion.conf:
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

# ABC Repository
<Location /svn/abc>
DAV svn
SVNPath /shared/subversion/repos/abc

SVNIndexXSLT "/arch-svnindex.xsl"

SSLRequireSSL

AuthType Basic
AuthName "ABC LDAP"

   AuthzLDAPMethod ldap
   AuthzLDAPAuthoritative off
   AuthzSVNAuthoritative on
   AuthzLDAPServer 127.0.0.1:10636
   AuthzLDAPLogLevel debug
   AuthzLDAPUserBase cn=users,ou=abc,dc=abc,dc=com
   AuthzLDAPUserKey uid
   AuthzLDAPUserScope base
   AuthzLDAPGroupBase cn=groups,ou=abc,dc=abc,dc=com
   AuthzLDAPGroupKey cn
   AuthzLDAPGroupScope base
   AuthzLDAPMemberKey uniquemember
   AuthzLDAPSetGroupAuth ldapdn

Satisfy any
Require ldap-user

AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>

And, here is the /shared/subversion/repos/abc/conf/subversion.acl file:
# Last Updated 08/12/2006 07:58:01 from ldap://127.0.0.1:10636
[groups]
abc_SVN Administrator = abc_user1, abc_user2
abc_SVN Architecture = abc_user1, abc_user3
abc_SVN Security Framework = abc_user5, abc_user4

[/]
* = r
@abc_SVN Administrator = rw

[abc:/Common/Architecture]
@abc_SVN Architecture = rw

Justin Erenkrantz wrote:
> On 8/9/06, Brian Brophy <brianbrophy@email.com> wrote:
>> I tried the suggested (not use LimitExcept but instead use Require
>> valid-user and satisfy any) but I am experiencing the same issue. The
>
> Did you try 'Require ldap-user' instead of 'Require valid-user'? --
> justin
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Aug 12 14:21:53 2006

This message: [ Message body ]
Next message: Amit Aronovitch: "patch: svn_load_dirs: global-ignores support"
Previous message: David Glasser: "Re: atomic revprop commits at the RA level"
In reply to: Justin Erenkrantz: "Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]