Might be better to ask this on the *@httpd.apache.org lists?
Dale Bohl wrote on Mon, Nov 15, 2010 at 07:39:59 -0600:
> Hello,
>
>
>
> I've been banging my head on this one for 2 days now.
>
> I've googled this issue but it appears not many admins are using this
> and/or
>
> it could possibly be a bug in the apache module.
>
>
>
> Config
>
> ------
>
> Red Hat Enterprise Linux Server release 5.5 (Tikanga)
>
> Server version: Apache/2.2.3
>
> svn, version 1.6.12 (r955767)
>
> Windows 2008 R2
>
>
>
> It appears that we cannot use Active Directory Permissions Groups
>
> with the s-svn server for Subversion repository authentication and
> authorization
>
> but yet AD Role groups work just fine.
>
>
>
> subversion.conf config for "puppet" repository
>
> ------------------------------------------------
>
> #================puppet repo===================================
>
> <Location /puppet>
>
> DAV svn
>
> SVNPath /repos/puppet
>
> AuthPAM_Enabled on
>
> AuthType Basic
>
> AuthName "Subversion Authentication to AD"
>
>
>
> # Limit R/W access to certain role groups
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>
> # Require group SVN-Puppet-ReadWrite-P
>
> Require group IT-InfrastructureTeam-SystemAdministrator-R
>
> </LimitExcept>
>
>
>
> # Limit R/O access to certain role group
>
> <Limit GET PROPFIND OPTIONS REPORT>
>
> # Require group SVN-Puppet-ReadWrite-P
>
> Require group IT-InfrastructureTeam-SystemAdministrator-R
>
> </Limit>
>
> </Location>
>
>
>
> The interesting thing is that AD Role Groups appear to work fine within
>
> the Location directive config above which shows the role group for which
>
> I'm a member.
>
>
>
> If the above config is changed to use the Permissions group shown
> commented
>
> out, authentication doesn't work and when that happens I'm seeing the
> following
>
> error in ssl_error_log.
>
>
>
> [Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in
> required group(s).
>
>
>
> So, even though the following User > Role > Permissions > Resource
> association
>
> exists, the group with '-P' in it above won't allow dpb to authenticate
> for repo access.
>
>
>
> dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and
>
> IT-InfrastructureTeam-SystemAdministrator-R is a member of
> SVN-Puppet-ReadWrite-P AD
>
> group
>
>
>
> Any help would be greatly appreciated.
>
>
>
> --------
>
> Dale Bohl
> Sr. Systems Administrator
> Mason Companies, Inc.
> dbohl_at_masoncompaniesinc.com <mailto:dbohl_at_masoncompaniesinc.com>
> (715)-720-4382
>
>
>
Received on 2010-11-15 17:02:13 CET