On 12.07.2013 18:32, Stefan Sperling wrote:
> On Fri, Jul 12, 2013 at 03:45:24PM +0200, Branko Čibej wrote:
>> Yes, that is a layering violation. The authz implementation shouldn't
>> care where groups names and group membership info comes from. I can
>> think of two ways to do this:
>>
>> 1. The caller provides a callback that the authz resolver can use to
>> determine if the current user is a member of some group.
>> 2. The caller sends the transitive closure of group memberships along
>> with the username, and the authz resolver uses that to determine
>> group membership
>>
>> Both of these options require a libsvn_repos API change.
> Yes, I agree completely.
>
> Of course, the authz rules file itself needs to contain ldap
> group names,
Scratch "ldap" -- it has to contain group names, that's all.
> which like the list of user names, are site-specific.
Of course.
> But the mechanism of how the group is looked up belongs outside
> of libsvn_repos, of course. Hence my suggestion to move the ldap
> lookup code into mod_authz_svn and svnserve.
Probably only svnserve; mod_authz_svn should just use whatever group
info is available. mod_ldap isn't the only such provider, you could use
mod_auth_pam or even mod_auth_pgsql, for example. The question I don't
know the answer to is whether there's a standard interface for
authentication modules that mod_authz_svn could use to query group
membership.
-- Brane
--
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane_at_wandisco.com
Received on 2013-07-12 18:43:35 CEST