I recently encountered a problem where a badly formatted
AuthzSVNAccessFile went undetected and we struggled to figure out why
some users could not commit to the repository.
The server is a Windows 2003 Server running Apache 2.2 and Subversion
1.5.2. To install an updated configuration I basically do this:
* Run httpd -t to test httpd-ssl.conf.
* Run httpd -n "[service name]" -k restart to do a graceful
* Run net start | find /I "[service name]" > NUL and check
ERRORLEVEL to determine whether the server is started.
* Run an svn ls command to verify the AuthZSVNAccessFile.
* On any error, roll back the configuration, restart the server
again, and re-test to determine whether the roll back succeeded.
With some AuthzSVNAccessFile parsing errors, the svn ls command will
fail after the restart. However, in one case I just found out about,
the server appears to restart, and svn ls runs, but the new auth file
doesn't really seem to be active, because any subsequent changes don't
seem to be recognized.
The parsing error we had was in the [groups] section. Our ordinary
format would look like this:
GroupName = one, two, three, four
The bad edit left it like this:
GroupName = one, two twob, three, four
Note the missing comma.
I realize I can install a command-line grep to detect this specific case
if nothing else, but is there a better way to detect this problem and
maybe other syntax errors at the same time? I'd really like something
like httpd -t for the AuthzSVNAccessFile but I haven't heard of such a
thing. I also scanned all the Apache logs and found nothing helpful.
Some more configuration information:
* We have users authenticating from multiple domains
* SSPIOmitDomain On
* For some reason we had to specify an SSPIDomain and doing this
with one of our domains would let it work with the other, but the
reverse was not true. Users are specified in the auth file without
domains (though initially I tried, and failed, to get it to work
* We use an SVNParentPath to allow multiple repositories under a
* SSPIOfferBasic On
* SSPIPerRequestAuth Off
* SSPIUsernameCase lower
* We use <LimitExcept GET PROPFIND OPTIONS REPORT> containing:
Require Group [Domain\\GroupName]
* The auth file has [/] * = r for now, so as long as a user is in
the above-named group, they should be able to read everything.
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-05-29 20:28:40 CEST