[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVNParentPath and per Repository Permissions

From: Dongsheng Song <dongsheng_song_at_hotmail.com>
Date: 2004-09-08 03:40:12 CEST

No, I think he means using some method split AuthzSVNAccessFile,

e.g. repos1 has access file repos1_auth.conf
      repos2 has access file repos2_auth.conf
      ....
and repos1 , repos2, ..., etc. has same SVNParentPath

Another question, can I let apache2 list these repositories('/svnldap') ?

I quite interest the solve answer.

Dongsheng Song

----- Original Message -----
From: "Guido Anzuoni" <guido.anzuoni@kyneste.com>
To: "Brandstädter Reinhard" <Reinhard.Brandstaedter@ams-engineering.com>;
<users@subversion.tigris.org>
Sent: Tuesday, September 07, 2004 11:13 PM
Subject: R: SVNParentPath and per Repository Permissions

I am not sure I have fully understood your problem (a little example may
help).
Anyway, I will explain may conf hoping it would somehow be useful.

I have configured apache to serve svn repository with ldap authentication as
follows
(using ldap module bundled with apache):

<Location /svnldap>

   DAV svn
   SVNParentPath E:/SVNROOT/repositories
   AuthzSVNAccessFile E:/SVNROOT/config/security/svn-http-authz.txt

   AuthType Basic
   AuthName "Subversion"

   AuthLDAPEnabled on
   AuthLDAPRemoteUserIsDN off

   AuthLDAPUrl .....
   AuthLDAPBindDN .....
   AuthLDAPBindPassword ...

   Deny from all
   Require valid-user
   Satisfy all

</Location>

In AuthzSVNAccessFile I have something like:

[groups]
admin = <members of global admin group>
repos1-team = <members of repos1 project team>

[/]
* = r
@admin = rw

[repos1:/]
@repos1-team = rw
......

If you want to have read access control too, you could do something like:

[groups]
admin = <members of global admin group>
repos1-team = <repos1 project team>
repos1-admin-team = <repos1 project admins>

[/]
* =
@admin = rw

[repos1:/]
@repos1-team = r
@repos1-admin-team = rw
......

Guido

> -----Messaggio originale-----
> Da: Brandstädter Reinhard
> [mailto:Reinhard.Brandstaedter@ams-engineering.com]
> Inviato: martedì 7 settembre 2004 16.48
> A: Guido Anzuoni
> Oggetto: AW: SVNParentPath and per Repository Permissions
>
>
> Oh I've read the acl section in the book, and maybe I was too
> less precise.
> I guess since I already limit the authentication via ldap via
> a "require group" directive there is no other way using the
> SVNParentPath.
> (I don't want to find a general "require group" wich is valid
> for all repositories, but want to keep the group of users who
> can access a repository (authentication process) to a minimum.
>
> Reinhard
>
> > -----Ursprüngliche Nachricht-----
> > Von: Guido Anzuoni [mailto:guido.anzuoni@kyneste.com]
> > Gesendet: Dienstag, 07. September 2004 09:24
> > An: Brandstädter Reinhard; users@subversion.tigris.org
> > Betreff: R: SVNParentPath and per Repository Permissions
> >
> >
> > You can use per-directory access control as documented in
> > http://svnbook.red-bean.com/svnbook/ch06s04.html#svn-ch-6-sect-4.4.2
> >
> > The only caution is to configure ldap authentication to not
> > to use full DN for
> > the authenticated principal otherwise you run into troubles
> > defining groups in subversion authorization conf (btw, an
> > escaping mechanism for group member separators would help).
> >
> > Guido.
> >
> >
> > -----Messaggio originale-----
> > Da: Brandstädter Reinhard
> > [mailto:Reinhard.Brandstaedter@ams-engineering.com]
> > Inviato: martedì 7 settembre 2004 8.46
> > A: users@subversion.tigris.org
> > Oggetto: SVNParentPath and per Repository Permissions
> >
> >
> > Hi,
> >
> > I'm just browsing through the Subversion paperback book
> > (great job, by the way!), and playing around with my apache
> > configuration. The SNVParentPath is a pretty handy directive,
> > but how would this work if you want to set different
> > permissions per repository? I'm planning to use LDAP
> > authentication against MS Active directory with the excellent
> > mod_auth_ldap module by Muhammad A Muquit
> > http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_l
> dap_apache2.html
>
> At the moment I only see the solution by using one <Location>
> directive per repository and also set permissions per
> <Location> directive. Am I wrong, or is there a way to use
> the convenience of ParentPath and per-repos permissions?
>
> Thanks,
> Reinhard
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Sep 8 03:41:05 2004

This is an archived mail posted to the Subversion Users mailing list.