[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Adding ldap group support to subversion

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 12 Jul 2013 15:35:28 +0200

On Fri, Jul 12, 2013 at 03:21:30PM +0200, Branko Čibej wrote:
> Well, I disagree that it's a tiny feature. It seems to me that it's a
> quite significant addition to the way we process authz rules, at the
> very least it's a significant user-visible change that affects both
> performance and backwards compatibility, so it merits a design
> discussion on this list.

OK, that's fair.

> The fact that the dependency coupling and
> layering violation in the original patch didn't raise a whole lot more
> objections frankly scares me.

Which layering violations? That we're using literal ldap group names
in the authz file and ask ldap for them? I don't think that's an issue
since the new functionality is only enabled if the admin configures an
ldap connection.

If you're talking about the exposure of various internal data types
in public headers, I've raised those concerns already.

Or is it the dependency chain
 (mod_authz_svn | svnserve) -> libsvn_repos -> libsvn_subr -> openldap
that scares you? I believe I also raised the concern that the ldap
query should be made in mod_authz_svn (and svnserve), and the result
of that should be somehow made available to lisvn_repos via a new API.

Did you have something else in mind?

I think that a patch which makes mod_authz_svn call out to mod_ldap,
and makes svnserve use the ldap API provided by APR-util, should be fine.
Received on 2013-07-12 15:36:03 CEST

This is an archived mail posted to the Subversion Dev mailing list.