[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

From: Martin Bauer <bauer_martin_at_gmx.de>
Date: Thu, 24 Apr 2008 19:48:12 +0200

You're right, its not a good idea to modify other apache-modules.

I've read a little in the code of the apache-modules and in the code of
svnserve, and I think
it would be the best solution to write a new svn-auth-library which is used by
svnserve and apache. I know
there are a lot such libs out there already (like pam or sasl) but non of them
supports authorization.
So I planned to split this new library in two parts:
One part would be responsible for authentication. I could gets its data from
svn-auth-files or from LDAP.
Here it would also be possible to use existing auth-libraries like PAM. And
the actual source
can be selected by a statement in the svn-auth file. (If there's no statement
the svn-auth-file-source
would be assumed, so it would be compatible with existing svn-auth files)

The second part would be the authorization part. Here the data comes also from
the svn-auth file (or
perhaps later on also from MySQL). This data describe which user has which
rights on specified paths in the repository.
At this position it would also be possible to introduce new access-rights.

This general svn-auth library would than be used by the apache-module and

Would do you think of that idea?

Am Mittwoch, 23. April 2008 01:59:35 schrieben Sie:
> On Mon, Apr 14, 2008 at 11:26 AM, Martin Bauer <bauer_martin_at_gmx.de> wrote:
> > As a Google SummerOfCode Project I'm planning to add new Auth-features to
> > mod_autz_svn.
> > Users should be able to use groups from other apache-moduls (like ldap
> > and groupfile) in the SVN-Auth File. So groups don't have to be defined
> > twice.
> >
> > I thought of adding a function like isUserInGroup(char* groupname) to
> > the relevant modules (mod_authz_groupfile and mod_authnz_ldap) which is
> > called from the authz_svn-module if there is an unknown group.
> >
> > What do you thing of that idea?
> I hope you explore the provider API - IOW, expose those functions via
> providers and not static linkage. =) -- justin

To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-24 21:05:53 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.