[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: AuthzSVNAccessFile and LDAP-Groups

From: fisch <fisch_at_conne-island.de>
Date: 2004-10-04 18:53:59 CEST

On Mo, 2004-10-04 at 22:33 +1000, Samay wrote:
> > -----Original Message-----
> > From: fisch [mailto:fisch_at_conne-island.de]
> > Sent: Monday, October 04, 2004 11:59 AM
> > To: subversion-list
> > Subject: RE: AuthzSVNAccessFile and LDAP-Groups
> >
> >
> >
> > Is it possible to use PAM or System-Groups or anything else execpt a
> > Users-File?
> >
> > bye
> > fisch
> >
>
> I m not sure about your setup but this is how we are using it in our
> environment
>
> a) (Gentoo + OpenLDAP + Apache + SVN 1.1 + Samba{winbind}) + Microsoft
> Active Directory(AD)

(Gentoo + OpenLDAP + Apache + SVN 1.1) + OpenLDAP

> b) all user authentication and group membership/authentication is against MS
> AD.

same (but OpenLDAP not MS AD)

> c) Winbind provides Authentication bridge and User/Group lookups against AD

same (but pam_ldap not WinBind)

> d) OpenLDAP is used to store IDmap info (UID/GID mappings) for WinBind.

not needed with OpenLDAP

> e) On Linux PAM is configured to use Winbind, along side the usual,
> /etc/passwd etc.

same

> f) Apache is configured to use Auth Basc (Mod_Auth_PAM) for authentication
> support

using Mod_Auth_LDAP

> g) all Access Control for Subversion is against Group names as defined in
> Microsoft AD

can you give an example? That's what didn't work

> h) it works fine for SVN using Apache/Mod_DAV as thats all we need.

without SVN_AUTHZ ?

> This all works fine, as winbind presents LDAP Users and Groups via PAM. We
> have a need for using Samba as well, hence winbind. Your mileage and
> requirements may vary, however, at least above works.

thats the same like pam_ldap

> yes, there still is an unsolved problem in our setup, that is to provide a
> similar granular access control for WebSVN using groups defined in AD!!!
>
> HTH,
>
>
> Samay.

bye
fisch

> 

-- 
fisch <fisch@conne-island.de>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Oct 4 18:54:38 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.