[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

R: SVNParentPath and per Repository Permissions

From: Guido Anzuoni <guido.anzuoni_at_kyneste.com>
Date: 2004-09-07 17:13:29 CEST

I am not sure I have fully understood your problem (a little example may help).
Anyway, I will explain may conf hoping it would somehow be useful.

I have configured apache to serve svn repository with ldap authentication as follows
(using ldap module bundled with apache):

<Location /svnldap>

   DAV svn
   SVNParentPath E:/SVNROOT/repositories
   AuthzSVNAccessFile E:/SVNROOT/config/security/svn-http-authz.txt
   
   AuthType Basic
   AuthName "Subversion"

   AuthLDAPEnabled on
   AuthLDAPRemoteUserIsDN off

   AuthLDAPUrl .....
   AuthLDAPBindDN .....
   AuthLDAPBindPassword ...
   
   Deny from all
   Require valid-user
   Satisfy all

</Location>

In AuthzSVNAccessFile I have something like:

[groups]
admin = <members of global admin group>
repos1-team = <members of repos1 project team>

[/]
* = r
@admin = rw

[repos1:/]
@repos1-team = rw
.......

If you want to have read access control too, you could do something like:

[groups]
admin = <members of global admin group>
repos1-team = <repos1 project team>
repos1-admin-team = <repos1 project admins>

[/]
* =
@admin = rw

[repos1:/]
@repos1-team = r
@repos1-admin-team = rw
.......

Guido

> -----Messaggio originale-----
> Da: Brandstädter Reinhard
> [mailto:Reinhard.Brandstaedter@ams-engineering.com]
> Inviato: martedì 7 settembre 2004 16.48
> A: Guido Anzuoni
> Oggetto: AW: SVNParentPath and per Repository Permissions
>
>
> Oh I've read the acl section in the book, and maybe I was too
> less precise.
> I guess since I already limit the authentication via ldap via
> a "require group" directive there is no other way using the
> SVNParentPath.
> (I don't want to find a general "require group" wich is valid
> for all repositories, but want to keep the group of users who
> can access a repository (authentication process) to a minimum.
>
> Reinhard
>
> > -----Ursprüngliche Nachricht-----
> > Von: Guido Anzuoni [mailto:guido.anzuoni@kyneste.com]
> > Gesendet: Dienstag, 07. September 2004 09:24
> > An: Brandstädter Reinhard; users@subversion.tigris.org
> > Betreff: R: SVNParentPath and per Repository Permissions
> >
> >
> > You can use per-directory access control as documented in
> > http://svnbook.red-bean.com/svnbook/ch06s04.html#svn-ch-6-sect-4.4.2
> >
> > The only caution is to configure ldap authentication to not
> > to use full DN for
> > the authenticated principal otherwise you run into troubles
> > defining groups in subversion authorization conf (btw, an
> > escaping mechanism for group member separators would help).
> >
> > Guido.
> >
> >
> > -----Messaggio originale-----
> > Da: Brandstädter Reinhard
> > [mailto:Reinhard.Brandstaedter@ams-engineering.com]
> > Inviato: martedì 7 settembre 2004 8.46
> > A: users@subversion.tigris.org
> > Oggetto: SVNParentPath and per Repository Permissions
> >
> >
> > Hi,
> >
> > I'm just browsing through the Subversion paperback book
> > (great job, by the way!), and playing around with my apache
> > configuration. The SNVParentPath is a pretty handy directive,
> > but how would this work if you want to set different
> > permissions per repository? I'm planning to use LDAP
> > authentication against MS Active directory with the excellent
> > mod_auth_ldap module by Muhammad A Muquit
> > http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_l
> dap_apache2.html
>
> At the moment I only see the solution by using one <Location>
> directive per repository and also set permissions per
> <Location> directive. Am I wrong, or is there a way to use
> the convenience of ParentPath and per-repos permissions?
>
> Thanks,
> Reinhard
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Sep 7 17:14:37 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.