What I am doing is to add ldap group support for subversion. Which means we don't need any predefined groups in authz file. We get groups from ldap server directly.
Why would i do that ?
I am a subversion administrator of a big company. We have thousands of SVN repositories for hundreds of thousands of developers. We like subversion because it is simple. But sometimes i hate it when I handle a hundred problems for subversion users in a single day. Mostly the problems are related to authz file. Among those problems, one is about group definition.
As well know, we can provide ldap group support indirectly by synchronizing ldap groups to authz file at regular intervals. So is my company. Here come the problem. We use ldap groups because we don't want to maintain another group system. It's a wasting of labor and money.
1. For a big development team, the authz file can reach up to almost 1M bytes.For every group, it has hundreds of members. When it comes the tures, we have two time consuming issues. One is reading the authz file. The other is finding a user in a group.
2. We use a script to synchronize ldap groups to authz file. However it is not stable enough in case of momentary bad network or IO conflict. Very often that we add a user to a ldap group but we cannot find it in that group in authz file. Then lots of users will ask me for help. I hate that.
Since we provide ldap authentication through apache module. I've always wondered why don't we further it. Why don't we provide ldap groups directly in subversion.
That's why I am doing this. It will save me a lot of time and free myself from those annoying moments. Most importantly, It will improve my administration performance and bring me more money. Also I've read posts calling for this feature.
How can you take advantage of this feature ?
I suppose you are using apache module for ldap authentication 'mod_authnz_ldap'. Simply I reuse some commands of it. 'mod_authnz_ldap' is a moudule of apache for ldap authentication. We use commands 'AuthLDAPBindDN', 'AuthLDAPBindPassword', 'AuthLDAPURL' for ldap authentication. Further more, we need a switch to indicate whether we need ldap group support. If not, subversion works in its old way. At the starting phase, we recursively get all groups maintained in a hash table for the current accessing user. When we are validating whether a group authorization rule applies to the current user, we just find that group in the user;s groups hash table.
you may configure your location section in httpd.conf like this. Then you don't need any predefined groups in authz file any more.
LdapGroupEnableon
AuthLDAPBindDNusername
AuthLDAPBindPassword password
AuthLDAPURL"ldap://sever:389/dc=organization,dc=company,dc=com"
For three reasons that it will be less time consuming than using groups defined in an authz file. Firstly, a user won't belong to more groups than a group has members. Secondly, we get all groups in one session. It won't take too much time. Last one, Finding a group in a hash table is really fast as we know.
I've done a roughly test in my company. The result shows that for small size of authz files, there's no improvement of direct ldap group support towards speeds. When the authz becomes larger, the speed improvement is obvious. As for stability, ldap servers in my company is the most basic equipment. It's a ensurance for the feature of ldap group support. So is most companies, I believe.
If you need any detailed information or have further implementation suggestions, please contact me later.
Looking forward to your feedback. Thanks.
Received on 2013-07-08 18:47:17 CEST