[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Integrating authnz_ldap and authz_groupfile in mod_svn_authz

From: Lieven Govaerts <svnlgo_at_mobsol.be>
Date: Wed, 30 Apr 2008 10:24:55 +0200

Martin Bauer wrote:
> You're right, its not a good idea to modify other apache-modules.
> I've read a little in the code of the apache-modules and in the code of
> svnserve, and I think
> it would be the best solution to write a new svn-auth-library which is used by
> svnserve and apache. I know
> there are a lot such libs out there already (like pam or sasl) but non of them
> supports authorization.
> So I planned to split this new library in two parts:
> One part would be responsible for authentication. I could gets its data from
> svn-auth-files or from LDAP.
> Here it would also be possible to use existing auth-libraries like PAM. And
> the actual source
> can be selected by a statement in the svn-auth file. (If there's no statement
> the svn-auth-file-source
> would be assumed, so it would be compatible with existing svn-auth files)

Through SASL for svnserve and the authn modules for apache we already
support authentication.
SASL also supports LDAP for authentication btw, although there seem to
be issues on Windows:

I don't think you need to worry about the authentication part, unless
you see some clear gaps in the current functionality.

> The second part would be the authorization part. Here the data comes also from
> the svn-auth file (or
> perhaps later on also from MySQL). This data describe which user has which
> rights on specified paths in the repository.
Ok, this remains the same as we currently have? Or do you think we need
changes in the way we describe access rules? Is fetching those rules
from MySQL something you want to implement?

> At this position it would also be possible to introduce new access-rights.
Can you elaborate on this? What do you mean with 'new access-rights'?

> This general svn-auth library would than be used by the apache-module and
> svn-serve.

So you propose to write an authz library that includes an LDAP client,
which can be used both from svnserve and mod_authz_svn right?

Ok, here I have a personal opinion that's probably different than our
users. Personally I couldn't care less about having LDAP authz in
svnserve. It's unfortunate that we have to take certain code which is
already provided in apache modules in our codebase just because we want
to support the feature in svnserve.

OTOH, it seems that in this case we can't directly use the apache
modules due to a missing API - I didn't really check that yet - and
other people probably like the idea of having ldap authz in svnserve.

> Would do you think of that idea?
Ok, keep on going :)

I'm interested in knowing what will be the scope of your plans. I mean,
in terms of features? You referred to new access rights, storing access
rules in mysql etc. Are this things you think of working on? Or are
these options you expect might be useful and want to include in the API
design of your library?


To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-30 10:25:12 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.