Hi Cong,
thanks for sharing this patch, it's really interesting. I didn't review it
thoroughly yet, I just have some high-level questions and remarks:
- What new functionality does this patch provide? If I understand your example
correctly the function is: 'If this account is part of atleast this LDAP group,
then allow r/w access for a project/path'. Right?
- When do you do the LDAP lookup, for each request? Apache already does an LDAP
lookup for the authentication part (password validation), so this will have a
negative performance impact.
- Why don't you use the already defined AuthzLDAPURL and AuthzDAPBindDN
commands?
- I see you copy large parts of existing code from mod_auth_ldap.c. Why do you
do that? If you need that functionality, use the existing functions are extract
common functionality in a new function.
To which branch & reversion of the Subversion code did you make the patch? Do
you use this already in a test/production system?
I'd suggest before adding new functionality to the authn/authz mechanism of
Subversion we gather requirements and make a design proposal. As far as I'm
concerned, integration with enterprise architecture for authz is one of the
weak spots of Subversion and if we want to tackle that (and I really want that)
we should do it in a structured way.
Not to say that your patch isn't welcome, let's use the opportunity as a
starting point for further discussion.
regards,
Lieven.
Quoting Ngo Van Cong <van_cong.ngo@int-evry.fr>:
> These patches help you to use ldap group in the control access file of
> the module Authz. if you want to use it, you must declare Directive
> AuthzSVNLDAPURL this is the path to ldap server.
> Directive AuthzSVNLDAPBindDN is a bind domain name when you want to
> use defaut group in ldap server(default group=repos name) for this you
> must turn on Directive AuthzSVNLDAPEnableDefaultGroup
>
> Here is my configuration in apache:
> AuthzSVNAccessFile /etc/apache2/access.passwd
> AuthzSVNLDAPURL ldap://localhost/dc=int-evry,dc=fr
> AuthzSVNLDAPEnableDefaultGroup on
> AuthzSVNLDAPBindDN ou=group,dc=int-evry,dc=fr
> AuthzSVNLDAPGroupAttribute memberUid
>
> and in the access.passwd
>
> [projet1:/home/user1]
> @user=r
>
> [groups]
> developers = oberger, benoit, admin
> user = ldap:cn=user,ou=group,dc=int-evry,dc=fr
> in this case, default group=projet1,for reposistory projet1, in ldap server
> have permission rw.
> Regards
> Cong
>
> [SNIPPED VERY LARGE PATCH]
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 6 13:35:06 2006