[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AuthLDAP + AuthzSVNAccessFile

From: Manuel Vacelet <manuel.vacelet_at_gmail.com>
Date: 2007-07-20 11:20:07 CEST

Actually I still have a question.

If the apache authentication faild with "AuthSth + Require valid-user"
I'm not allowed to see the content of the repository.
but if it's "AuthSth + Require user someone", there is an anonymous
access and I can read the content of the repository even if I'm not
"someone".

That seems a strange logic for me...

Manuel

On 7/20/07, Manuel Vacelet <manuel.vacelet@gmail.com> wrote:
> Hello,
>
> Thanks for the reply, this exactly the info I was looking for (even if
> it doesn't solve my problem but it's another story ;).
>
> I didn't figure how AuthSvnAccessFile works and the interaction with
> "require" that fails and let the user "anonymous" and "* = r" that
> gives read access even to anonymous users.
>
> Cheers,
> Manuel
>
> On 7/20/07, ossi petz <ossipetz@hallo.ms> wrote:
> > hallo
> >
> > well it looks like some 'weird' plan
> >
> > the require user statement belongs to apache auth. not subversion. once
> > ldap auth is done the user is passed to subversion and from here you
> > will need to restrict repository access with your .SVNAccessFile file.
> >
> > users that may fail apache auth still have anonymous access. this is
> > configured with the "* = r" line. telling subversion: anyone has read
> > access.
> >
> > if you dont want anyone to be able to read you repos try it like this:
> >
> > # read access for the repository root (good if mutliple repos exist)?
> > # if not use: * =
> > [/]
> > * = r
> >
> > [repository1:/]
> > @members=rw
> > manuel = r
> > * =
> >
> >
> > hope this is of any help
> > regards
> >
> > op
> >
> >
> >
> >
> > Manuel Vacelet schrieb:
> > > Hello,
> > >
> > > I'm trying to set up LDAP authentication of users on my server with
> > > AuthLDAP (auth_ldap_module). It works great but it seems
> > > AuthzSVNAccessFile by pass the restrictions set with "Require user"
> > > directive.
> > >
> > > Actually I want to restrict the read possibility of the subversion
> > > repositories to a list of people (thanks to "Require user") and let
> > > the possibility to each repository to define its own rules (thanks to
> > > "AuthzSVNAccessFile"). But as soon as there is a '* = r' in the
> > > AuthzSVNAccessFile, the "Require user" is no longer taken in account
> > > (each repository can restrict access to its data but cannot "expose"
> > > it more). Note: it doesn't work even if I force "statisfy all".
> > >
> > > Here is my <Location> for one repository:
> > >
> > > <Location /svnroot/code>
> > > DAV svn
> > > SVNPath /var/lib/svnroot/code
> > > AuthType Basic
> > > AuthName "Subversion Authorization"
> > >
> > > AuthLDAPUrl ldap://localhost:389/ou=people,dc=example,dc=com
> > > AuthLDAPBindDN "ou=people,dc=example,dc=com"
> > > require user "manuel"
> > > AuthzSVNAccessFile /var/lib/svnroot/code/.SVNAccessFile
> > > </Location>
> > >
> > > I there a way to force "Require" to apply ?
> > >
> > > -- Manuel
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 20 11:19:31 2007

This is an archived mail posted to the Subversion Users mailing list.