[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: R: Re: R: R: SVNParentPath and per Repository Permissions

From: Reinhard Brandstädter <reinhard.brandstaedter_at_ams-engineering.com>
Date: 2004-09-09 15:11:33 CEST

Guido Anzuoni wrote:

>Why mixing url authorization with repository path authorization (require group xxx is a sort of
>authorization directive) ?
>With "require valid-user" apache will activate DAV module only upon successful authentication.
>Your conf could be:
>
><Location /svn>
> # configuration of LDAP module
> Include subversion/authenticate.conf
> ...
> SVNParentPath /home/subversion
> Require valid-user
> AuthzSVNAccessFile subversion/acl/auth-repos.conf
> ...
> </Location>
>
>
I definitely see the advantages of the ParentPath/AuthzSVNAccessFile
approach.
But what stil makes me considering using the other method is the fact
that URL Authentication based on groups saves extra configuration in the
AuthzSVNAccess file.
Considering that we create/add/modify groups in our Active Directory
LDAP server you would have to keep membership information up to date in
the Authz file on the Subversion server and in Active Directory.
The optimum of course would be if it was possible to specify a LDAP
group in the Authz file in such a way that you don't have to worry about
the members in that group. But AFAIK you can only define groups in the
authz file and not refer to LDAP saved ones.
That's basically the reason why I use URL Authentication limited to groups

e.g.:
don't specify any [group] section but use the LDAP group directly

[/]
managers = rw
@cn=managers,cn=groups,dc=sma,dc=com = rw

or substitute the LDAP group like that

[groups]
managers = "LDAP://cn=managers,cn=groups,dc=sma,dc=com"

[/]
managers = rw

Which would mean that Subversion would have to talk LDAP, right?

Reinhard

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Sep 9 15:12:05 2004

This is an archived mail posted to the Subversion Users mailing list.