[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: Quinn Taylor <quinntaylor_at_mac.com>
Date: Mon, 25 Aug 2008 19:03:26 -0600

On Aug 25, 2008, at 11:35 AM, David Weintraub wrote:

> I am not too sure how you're doing things now, so let's go over the
> four different repository access methods:
>
> file://
> <snip>
>
> svn://
>>
> <snip>
>
> svn+ssh://
>>
> <snip>
>
> http://
> Like svn://, this allows the repository to be owned by the same user
> which is running the httpd daemon process. Usually, you use Apache's
> authentication method to setup users which is the same drawback of
> svn://. However, you can use LDAP as your verification system, so the
> passwords and user names are on your LDAP server.
>
> We have such a system setup at our place. The LDAP server is our
> Windows server. If you are under a particular LDAP group, you have
> read access to our Subversion repository. If you are using Unix or
> Linux, you can setup an LDAP server that interacts with your
> /etc/passwd file (or your NIS database). This can be done either by
> having the /etc/passwd file generated from your LDAP server, or by
> having your LDAP server read in entries from your /etc/passwd file.
>
> I think what you may want to do is setup an Apache httpd daemon, and
> use LDAP as your authentication system. Of course, that will involve
> some major system administration which might be beyond your realm, but
> if your users have shell access to the same box that has your
> Subversion repository server, you can't use svn+ssh. And, your only
> other choice would be using svn://, and having to maintain a separate
> authentication system where you setup the passwords and accounts.
>
> --
> David Weintraub
> qazwart_at_gmail.com

Perhaps this is a technicality, but aren't we leaving out https://?
Generally it would work the same as http://, but you can encrypt the
traffic as well. You could probably even require client certificates
and authenticate based on that.

I just configured the SVN repo hosted on our site to use
mod_auth_mysql and check against website user logins. For
organizations that may not have an LDAP server set up or accessible
for authentication, MySQL can be a nice alternative. Coupled with
PHPMyAdmin, it can certainly be easier to maintain.

  - Quinn

  • application/pkcs7-signature attachment: smime.p7s
Received on 2008-08-26 03:03:58 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.