Re: Read-Only Access

From: Jake Stone <jake.the.stone_at_gmail.com>
Date: Tue, 20 Oct 2009 13:23:06 -0500

Patricia: When sending replies, don't forget to make sure you have
"users_at_subversion.tigris.org: in the CC: area of your email. Otherwise
you send replies to only me and not the whole list :-)

Actually, the following configuration you provided:
*<Limit GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=FCG LS Product
Development,OU=U.S.,OU=Groups,DC=fcg,DC=com
</Limit>
*
If used by itself, would limit read access methods but NOT write access
methods, so I don't know what that would do if you had a user who didn't
satisfy the ldap-group requirement.

Understanding why requires some understanding of the <Limit> and
<LimitExcept> directives: The <Limit> directive essentially means "these
actions require that the below restrictions be satisfied for use". The
<LimitExcept> means "anything BUT these actions require that the below
restrictions be satisfied for use." So using only the <Limit> only
places a restriction on read-access, not any other methods. This is not
what you want (if I understand you correctly).

Note the svn-book chapter on Apache SVN control (online & free reference):
http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.serverconfig.httpd.authz

I believe your desire is for ANY user to have read access, but ONLY an
ldap-group to have write access, correct? To configure Apache to only
restrict write-access, use a <LimitExcept> directive instead, which
would restrict everything *except* read methods:

*<LimitExcept GET PROPFIND OPTIONS REPORT>
** Require ldap-group CN=FCG LS Product Development,OU=U.S.,OU=Groups,DC=fcg,DC=com*
*</LimitExcept>*

This is an adoption of my own Apache configuration:
*<LimitExcept GET PROPFIND OPTIONS REPORT>
Require [Code-Write]
</LimitExcept>*

I don't doubt you if you say the LDAP portion works, just wanted to make
sure :)
An easy way to test is to just copy that "Require ldap-group" directive
to a "<Location>" block to require that LDAP to access a portion of the
site, and confirm only members of the given LDAP group can access that area.

Incidentally, if your LDAP is a proper Windows Active Directory instance
on the same machine as Apache, you could use the (unmaintained) SSPI module:
http://sourceforge.net/projects/mod-auth-sspi/
Its what I use, and allows me to run Apache authentication against AD
without having a read-only account and all that ldap-group configuration
shenanigans.
If you already have a working LDAP setup, however, it may not be worth
the trouble to investigate.

Hope this helps!

Patricia A Moss wrote:
>
> I already know that the LDAP portion works. I just needed to add more
> of a limitation by only allowing read access. So, according to your
> email, to allow only read access I should have the following in my
> location block; correct?
>
> *<Limit GET PROPFIND OPTIONS REPORT>* *
> Require ldap-group CN=FCG LS Product
> Development,OU=U.S.,OU=Groups,DC=fcg,DC=com* *
> </Limit>*
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
>
> From: Jake Stone <jake.the.stone_at_gmail.com>
> To: Patricia A Moss/GIS/CSC_at_CSC
> Cc: users_at_subversion.tigris.org
> Date: 10/19/2009 02:56 PM
> Subject: Re: Read-Only Access
>
>
> ------------------------------------------------------------------------
>
>
>
> Patricia A Moss wrote:
>
> I am attempting to allow a single group access to a repository and to
> make that access read-only. Here is my config file; however, it does
> not seem to be making the group read-only. The members of the group
> can still commit and make changes. Can someone tell me what I am
> missing? Thanks.
>
> <Location /ProdDev>
> dav svn
> SVNPath /disk01/home/ProdDev
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> AuthLDAPBindDN FCGNET\xxxxxxx
> AuthLDAPBindPassword xxxxxxx
> AuthLDAPURL
> _ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)_
> <ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?%28objectCategory=person%29>
> *
> <LimitExcept GET PROPFIND OPTIONS REPORT>* *
> Require ldap-group CN=FCG LS Product
> Development,OU=U.S.,OU=Groups,DC=fcg,DC=com* *
> </LimitExcept>*
> </Location>
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
> You should first test your config with simple Apache password files;
> trying to debug LDAP and SVN at the same time is a bad idea.
> It seems you have the right LimitExcept, so if you got LDAP working
> correctly that should be right.
>
> I use LDAP for my SVN-Apache instance as well, and the below
> directives accomplish both read and write access control.
> You would need to satisfy [Code-Read] to even read the repository, and
> [Code-Write] to change it.
> Note the difference between LimitExcept and Limit.
>
> <Location /svn>
> .....
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require [Code-Write]
> </LimitExcept>
> <Limit GET PROPFIND OPTIONS REPORT>
> Require [Code-Read]
> </Limit>
> </Location>
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409487

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-20 20:24:02 CEST

This message: [ Message body ]
Next message: Ross Boylan: "Re: port forwarding questions"
Previous message: grenouille: "LF in 'svn:ignore' property -- svnsync: Cannot accept non-LF endings in 'svn:ignore' property"
Maybe in reply to: Patricia A Moss: "Read-Only Access"
Next in thread: Patricia A Moss: "Re: Read-Only Access"
Reply: Patricia A Moss: "Re: Read-Only Access"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]