Re: Adding ldap group support to subversion

On 12.07.2013 13:54, 刘新星 wrote:
> Thank you for your suggestions!
>
> mod_ldap for performance improvement is a further consideration.
>
> Actually I want to add ldap support for mod_authz_svn most.
> As far as I can see, when we need ldap authentication, we would take
> these combination 'apache + subversioin'.
> Is it a good idea to move ldap.c from libsvn_subr to mod_authz_svn ?

First of all, there should be no ldap.c in Subversion. If you want to
use LDAP, use the apr-util LDAP API. See:

http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/include/apr_ldap.h.in?view=markup

From the above it follows that libsvn_subr is not the right place to put
LDAP support. That can be, at best, a server feature, so you're basiclly
looking at adding it to svnserve and nowhere else, using the LDAP
support provided by apr-util.

I am strongly against the idea of adding LDAP support to mod_authz_svn.
There is already a mod_ldap, it doesn't make sense to duplicate
functionality. If mod_ldap has performance problems -- well then, that's
the place to solve them. It's open source after all.

Adding /group/ support to mod_authz_svn is completely orthogonal to
LDAP. Let's not mix the two issues. And frankly, I'd rather spend time
adding proper group- and role-based authorization to the repository than
heaping more stuff onto the current config-file-based authz layer.

-- Brane

-- 
Branko ÄŒibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane_at_wandisco.com