[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: R: Re: R: R: SVNParentPath and per Repository Permissions

From: Guido Anzuoni <guido.anzuoni_at_kyneste.com>
Date: 2004-09-09 17:33:59 CEST

> -----Original Message-----
> From: Reinhard Brandstädter
> [mailto:reinhard.brandstaedter@ams-engineering.com]
> Sent: Thursday, September 09, 2004 3:12 PM
> To: users@subversion.tigris.org
> Subject: Re: R: Re: R: R: SVNParentPath and per Repository Permissions
>
>
> Guido Anzuoni wrote:
>
> >Why mixing url authorization with repository path
> authorization (require group xxx is a sort of
> >authorization directive) ?
> >With "require valid-user" apache will activate DAV module
> only upon successful authentication.
> >Your conf could be:
> >
> ><Location /svn>
> > # configuration of LDAP module
> > Include subversion/authenticate.conf
> > ...
> > SVNParentPath /home/subversion
> > Require valid-user
> > AuthzSVNAccessFile subversion/acl/auth-repos.conf
> > ...
> > </Location>
> >
> >
> I definitely see the advantages of the ParentPath/AuthzSVNAccessFile
> approach.
> But what stil makes me considering using the other method is the fact
> that URL Authentication based on groups saves extra
> configuration in the
> AuthzSVNAccess file.
> Considering that we create/add/modify groups in our Active Directory
> LDAP server you would have to keep membership information up
> to date in
> the Authz file on the Subversion server and in Active Directory.

Yes, this is a nasty drawback if you need ldap groups for other purposes.

> The optimum of course would be if it was possible to specify a LDAP
> group in the Authz file in such a way that you don't have to
> worry about
> the members in that group. But AFAIK you can only define
> groups in the
> authz file and not refer to LDAP saved ones.
> That's basically the reason why I use URL Authentication
> limited to groups
>
> e.g.:
> don't specify any [group] section but use the LDAP group directly
>
> [/]
> managers = rw
> @cn=managers,cn=groups,dc=sma,dc=com = rw
>
> or substitute the LDAP group like that
>
> [groups]
> managers = "LDAP://cn=managers,cn=groups,dc=sma,dc=com"

Fully subscribed !!!!!
I want it !!!!

>
> [/]
> managers = rw
>
> Which would mean that Subversion would have to talk LDAP, right?
>
> Reinhard
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Sep 9 17:35:07 2004

This is an archived mail posted to the Subversion Users mailing list.