[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Various Access Control Questions

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-06-13 23:37:38 CEST

Xandy Johnson wrote:

> <Location /svn>
> DAV svn
> SVNParentPath /export/subversion
> AuthLDAPURL "ldap://some-long-ldap-url"
> AuthLDAPBindDN "MY_DOMAIN\username"
> AuthLDAPBindPassword password
> AuthType Basic
> AuthName "LDAP authentication for MY_DOMAIN"
> require valid-user
> </Location>
>
>
> 1) How do I configure anonymous read-only access and retain read-write
> access for all authenticated users without having to maintain the user list
> in the AuthzSVNAccessFile? I get that I need to add something like:
>
> AuthzSVNAccessFile /etc/svnaccess
> Satisfy Any
>
> And I get how to grant anonymous read-only access in /etc/svnaccess:
>
> [/]
> * = r
>
> And I realize I could add access back for specific users with something
> like:
>
> [/]
> * = r
> xandy = rw
>
> And even that I can have groups. But then I have to maintain users and
> groups in /etc/svnaccess rather than leveraging what's already in Active
> Directory.

AuthzSVNAccessFile and Active Directory are both referring to the same
authenticated usernames. But they have separate notions of groups, so
you'll have to keep group definitions in sync.

Of course, if you don't need per-repository or per-directory access
control, then there's no need to use AuthzSVNAccessFile at all. Just do a

<LimitExcept GET PROPFIND REPORT OPTIONS>
   Require valid-user
</LimitExcept>

This will allow all read requests to happen anonymously, and all write
requests to demand authentication.

>
>
> 2) Can the AuthzSVNAccessFile use groups defined in Active Directory, and
> if so how?
>
>
> 3) When do changes to the AuthzSVNAccessFile take effect (e.g. immediately
> on write or after Apache is restarted)?
>
>
> Thanks in advance,
> Xandy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Jun 13 23:40:31 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.