OK, clear.
See interleaved comments.
Guido.
> -----Messaggio originale-----
> Da: Reinhard Brandstädter [mailto:r.brandstaedter@gmx.at]
> Inviato: martedì 7 settembre 2004 19.59
> A: users@subversion.tigris.org
> Oggetto: Re: R: R: SVNParentPath and per Repository Permissions
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Guido Anzuoni wrote:
>
> |>I am not sure I have fully understood your problem (a little
> |>example may help).
> |>Anyway, I will explain may conf hoping it would somehow be useful.
>
> You are right the explanation was somewhat short, sorry.
>
> This is what I'm using:
>
> <Location /svn/repos1>
> # configuration of LDAP module
> Include subversion/authenticate.conf
> ...
> SVNPath /home/subversion/repos1
> require group cn=project1,ou=groups,dc=sma,dc=com
> require group cn=managers,ou=groups,dc=sma,dc=com
> AuthzSVNAccessFile subversion/acl/auth-repos1.conf
> ...
> </Location>
>
> <Location /svn/repos2>
> # configuration of LDAP module
> Include subversion/authenticate.conf
> ...
> SVNPath /home/subversion/repos2
> require group cn=project2,ou=groups,dc=sma,dc=com
> AuthzSVNAccessFile subversion/acl/auth-repos2.conf
> ...
> </Location>
>
> Since there are 2 different (disjunct) require statements it's
> impossible to centrally define SVNParentPath.
> It would be possible if Apache 2 allowed nested <Location> directives:
>
> <Location /svn>
> <Location repos1> ### -> effective "location" = /svn/repos1
> </Location>
> </Location>
>
> Anyways it's more a theoretical question since I want to lock down
> access to different Locations to different groups (by LDAP). Once
> members of these groups are granted access, authorization is
> managed by
> the access control (AuthzSVNAccessFile).
Why mixing url authorization with repository path authorization (require group xxx is a sort of
authorization directive) ?
With "require valid-user" apache will activate DAV module only upon successful authentication.
Your conf could be:
<Location /svn>
# configuration of LDAP module
Include subversion/authenticate.conf
...
SVNParentPath /home/subversion
Require valid-user
AuthzSVNAccessFile subversion/acl/auth-repos.conf
...
</Location>
and in auth-repos.conf:
[groups]
managers = <members of ldap group cn=managers,ou=groups,dc=sma,dc=com >
repos1-team = <members of ldap group cn=project1,ou=groups,dc=sma,dc=com >
repos2-team = <members of ldap group cn=project2,ou=groups,dc=sma,dc=com >
[/]
* =
[repos1:/]
@repos1-team = rw
@managers = rw
[repos2:/]
@repos2-team = rw
.......
>
> I see so far:
> Pros: ACLs are more simple, since a * = r has only affect on the
> (previouisly) authenticated group of users (require group)
>
> Cons: Configuration of repositories is more complex. Can't add new
> repositories during runtime - have to restart Apache (or re-read
> configuration)
Let's compare the tasks once a new repository has been created.
Location approach:
1. Add <Location> to apache conf
2. (Optional) create ldap group and set membership
3. Set additional ACL in AuthzSVNAccessFile for the new repos
4. restart apache
AuthzSVNAccessFile approach:
1. (Optional) create AuthzSVNAccessFile group and set membership
2. Set ACL in AuthzSVNAccessFile for the new repos
Note that you can have in AuthzSVNAccessFile file:
[/]
* = r
[repos1:/]
* =
@repos1-team = rw
@managers = rw
.......
So that repos1 access (even read) is granted only to repos1-team and managers groups members.
>
> So far it's not a tragedy but if someone recommends a more elegant way
> to accomplish the same, please let me know.
>
> Reinhard
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBPfbhkeAWQwM7gdsRAo6oAJwPUFKhDKKfcIT6TX9zB+RRY/gb9ACguS+a
> Fp1TWZh1vT5yW2JAK3SBNMo=
> =bxIY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Sep 8 09:28:31 2004