Hunkel, Manfred wrote:
> Exactly my point:
> authz_svn must be passed a user name, no matter how authentication is achieved.
> What's the content of your access file, then? There _are_ names in there, right?
>
Exactly. *When* I use a access file, then there are names and PWs in
there. And in this case, there is no enforced correlation to the CN or
DN of the Certificate. And acces control is based /solely/ on the name
retrieved by basic auth via access file (ist that right?)
But -- I pointed this out before -- we want to aviod using a acess file.
We plan to integrate with a PKI. The useres will have USB-dongles with
their Certificates, that's all.
And this is the problem:
1) If I use "require valid user", then it seems I am forced to have
a htpasswd file and additional names/PWs in it and acess control
is based on this names *solely*
2) If I remove "require valid user" and retain only
"SSLVerifyClient require", then authz_svn doesn't impose any
access restrictions. It seems simply to ignore everything and
grant full RW access to everyone (who, of course, has a valid
certificate).
My impression is, that at least this module should *refuse*
access for everyone because it can not derive any valid userid
to base acces on. Or am I wrong?
Cheers,
Hermann
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 30 13:36:19 2004