On Fri, Jul 12, 2013 at 03:45:24PM +0200, Branko Čibej wrote:
> Yes, that is a layering violation. The authz implementation shouldn't
> care where groups names and group membership info comes from. I can
> think of two ways to do this:
>
> 1. The caller provides a callback that the authz resolver can use to
> determine if the current user is a member of some group.
> 2. The caller sends the transitive closure of group memberships along
> with the username, and the authz resolver uses that to determine
> group membership
>
> Both of these options require a libsvn_repos API change.
Yes, I agree completely.
Of course, the authz rules file itself needs to contain ldap
group names, which like the list of user names, are site-specific.
But the mechanism of how the group is looked up belongs outside
of libsvn_repos, of course. Hence my suggestion to move the ldap
lookup code into mod_authz_svn and svnserve.
Received on 2013-07-12 18:33:09 CEST