[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Adding ldap group support to subversion

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 12 Jul 2013 18:32:29 +0200

On Fri, Jul 12, 2013 at 03:45:24PM +0200, Branko Čibej wrote:
> Yes, that is a layering violation. The authz implementation shouldn't
> care where groups names and group membership info comes from. I can
> think of two ways to do this:
>
> 1. The caller provides a callback that the authz resolver can use to
> determine if the current user is a member of some group.
> 2. The caller sends the transitive closure of group memberships along
> with the username, and the authz resolver uses that to determine
> group membership
>
> Both of these options require a libsvn_repos API change.

Yes, I agree completely.

Of course, the authz rules file itself needs to contain ldap
group names, which like the list of user names, are site-specific.
But the mechanism of how the group is looked up belongs outside
of libsvn_repos, of course. Hence my suggestion to move the ldap
lookup code into mod_authz_svn and svnserve.
Received on 2013-07-12 18:33:09 CEST

This is an archived mail posted to the Subversion Dev mailing list.