[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: SVN group authentication to AD

From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Mon, 15 Nov 2010 08:10:05 -0600

Sorry -- disregard my post.

I overlooked the "Auth_PAMEnabled" line and assumed you were using the standard LDAP authz Apache modules, which don't support nested groups.

However, while you're waiting for someone with more PAM knowledge to reply, I would wonder if perhaps the cause could be similar -- I would check the documentation for the specific PAM module you are using and verify nested groups are supported...

-----Original Message-----
From: Feldhacker, Chris [mailto:Feldhacker.Chris_at_principal.com]
Sent: Monday, November 15, 2010 7:50 AM
To: Dale Bohl
Cc: users_at_subversion.apache.org
Subject: RE: SVN group authentication to AD

> dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and
> IT-InfrastructureTeam-SystemAdministrator-R is a member of
> SVN-Puppet-ReadWrite-P AD group
 

Nested AD groups aren't supported -- not many products do. Typically, support for nested AD groups requires that the client application use the native AD APIs rather than generic LDAP APIs.

________________________________

From: Dale Bohl [mailto:DBohl_at_masoncompaniesinc.com]
Sent: Monday, November 15, 2010 7:40 AM
To: users_at_subversion.apache.org
Subject: SVN group authentication to AD

Hello,

 

    I've been banging my head on this one for 2 days now.

I've googled this issue but it appears not many admins are using this and/or

it could possibly be a bug in the apache module.

 

Config

------

Red Hat Enterprise Linux Server release 5.5 (Tikanga)

Server version: Apache/2.2.3

svn, version 1.6.12 (r955767)

Windows 2008 R2

 

   It appears that we cannot use Active Directory Permissions Groups

with the s-svn server for Subversion repository authentication and authorization

but yet AD Role groups work just fine.

 

subversion.conf config for "puppet" repository

------------------------------------------------

#================puppet repo===================================

<Location /puppet>

   DAV svn

   SVNPath /repos/puppet

   AuthPAM_Enabled on

   AuthType Basic

   AuthName "Subversion Authentication to AD"

 

   # Limit R/W access to certain role groups

   <LimitExcept GET PROPFIND OPTIONS REPORT>

# Require group SVN-Puppet-ReadWrite-P

      Require group IT-InfrastructureTeam-SystemAdministrator-R

   </LimitExcept>

 

   # Limit R/O access to certain role group

   <Limit GET PROPFIND OPTIONS REPORT>

# Require group SVN-Puppet-ReadWrite-P

      Require group IT-InfrastructureTeam-SystemAdministrator-R

   </Limit>

</Location>

 

The interesting thing is that AD Role Groups appear to work fine within

the Location directive config above which shows the role group for which

I'm a member.

 

If the above config is changed to use the Permissions group shown commented

out, authentication doesn't work and when that happens I'm seeing the following

error in ssl_error_log.

 

[Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in required group(s).

 

So, even though the following User > Role > Permissions > Resource association

exists, the group with '-P' in it above won't allow dpb to authenticate for repo access.

 

dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and

IT-InfrastructureTeam-SystemAdministrator-R is a member of SVN-Puppet-ReadWrite-P AD

group

 

Any help would be greatly appreciated.

 

--------

Dale Bohl
Sr. Systems Administrator
Mason Companies, Inc.
dbohl_at_masoncompaniesinc.com <mailto:dbohl_at_masoncompaniesinc.com>
(715)-720-4382

 

-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect_at_principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.
Received on 2010-11-15 15:10:45 CET

This is an archived mail posted to the Subversion Users mailing list.