[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AuthzSVNAccessFile and branching

From: Eric Eickhoff <ejeickhoff_at_sigma-micro.com>
Date: 2005-07-07 18:48:52 CEST

Thanks Lieven!

I am definitely at a loss here. I don't know what I am missing. A flat
spot is forming on my forehead from beating it against my desk!

To answer your questions: (inline)

"Lieven Govaerts" <lgo@mobsol.be> wrote in message
news:20050706175115.ADE3219819D@europa.telenet-ops.be...
> Eric,
>
> I don't have answers, just some remarks:
>
> 1. in the log:
>
> [Wed Jul 06 09:41:21 2005] [error] [client 10.31.1.21] Access denied:
> '(null)' COPY landfill:/branches/1.0/trunk landfill:/branches/1.0/trunk
>
> there is (null) where the username should be filled in, did you do
> this manually or was it the original error log? If this is like it
> appeared in the log it sure is a problem.
>

  No, I didn't do this manually. It appears that the username is being
'dropped' during the COPY command. For example, when I issue the svn copy
command, here is the access_log entries:

-------------------------
10.31.1.21 - - [07/Jul/2005:11:25:28 -0500] "PROPFIND /repos/landfill
HTTP/1.1" 401 543
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND /repos/landfill
HTTP/1.1" 207 659
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 411
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/bln/25 HTTP/1.1" 207 464
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/trunk HTTP/1.1" 207 698
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 464
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/bc/25/trunk HTTP/1.1" 207 709
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/branches/3.0 HTTP/1.1" 404 367
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/branches HTTP/1.1" 207 704
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 464
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/bc/25/branches/3.0 HTTP/1.1" 404 378
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "OPTIONS /repos/landfill
HTTP/1.1" 200 194
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "MKACTIVITY
/repos/landfill/!svn/act/3cf0eec3-51fb-0310-a5ca-c8092b0b7386 HTTP/1.1" 201
377
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND /repos/landfill
HTTP/1.1" 207 444
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 411
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "CHECKOUT
/repos/landfill/!svn/bln/25 HTTP/1.1" 201 392
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPPATCH
/repos/landfill/!svn/wbl/3cf0eec3-51fb-0310-a5ca-c8092b0b7386/25 HTTP/1.1"
207 360
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND /repos/landfill
HTTP/1.1" 207 396
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/branches HTTP/1.1" 207 704
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 464
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/bc/25/branches HTTP/1.1" 207 424
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "CHECKOUT
/repos/landfill/!svn/ver/25/branches HTTP/1.1" 201 398
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/trunk HTTP/1.1" 207 698
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "PROPFIND
/repos/landfill/!svn/vcc/default HTTP/1.1" 207 464
10.31.1.21 - user1 [07/Jul/2005:11:25:28 -0500] "COPY
/repos/landfill/!svn/bc/25/trunk HTTP/1.1" 401 348
------------------------------

There error_log contains the same a posted before:

[Thu Jul 07 11:25:28 2005] [error] [client 10.31.1.21] Access denied:
'(null)' COPY landfill:/branches/3.0 landfill:/branches/3.0
[Thu Jul 07 11:25:28 2005] [error] [client 10.31.1.21] Access denied:
'(null)' COPY landfill:/branches/3.0 landfill:/branches/3.0
[Thu Jul 07 11:25:28 2005] [error] [client 10.31.1.21] Access denied:
'(null)' COPY landfill:/branches/3.0 landfill:/branches/3.0

-------------------------

From the access_log, it appears that it has the username (user1) during the
COPY, but it receives the 401 response and then I get the entries in the
error_log indicating the 'null' for username. Is it getting dropped
somewhere??

> 2. Your log and the error show that svn is trying to create a trunk folder
> inside the branches/1.0 folder, so I guess the branches/1.0 folder was
> already created? Try deleting it first, or create another branch.
> ( probably was part of the example? )
>

  attempted to create several unique branches -- same result for all

> 3. I'm not sure about the:
> Options Indexes FollowSymLinks
> AllowOverride None
> order allow,deny
> allow from all
> part, but I copied this in my own apache conf, without problems. Why
> do you need this?
>

These entries were part of a sample config I found (I had to teach myself
Linux in order to implement Subversion -- Linux was required by my boss --
anyway, I am not sure about those entries) I commented them out and still
received the same results

> 4. I do all my testing and production with Subversion 1.2, my logs show
> some differences in comparison to yours:
> C:\temp>svn copy http://mobsol.be/svn/public/trunk
> http://mobsol.be/svn/public/b
> ranches/1.0 -m "branch 1.0" --username lgo
> [Wed Jul 06 19:39:48 2005] [error] [client 84.195.197.106] Access denied:
> 'lgo' CHECKOUT public:/branches
> [Wed Jul 06 19:39:51 2005] [error] [client 84.195.197.106] Access denied:
> 'lgo' CHECKOUT public:/branches
>
> It shows the CHECKOUT command instead of COPY. I'm not sure what this
> means.
> Maybe you can upgrade your testenvironment to 1.2 ( or 1.2.1 ) to see what
> happens there?
>

I performed the upgrade to 1.2.1 and still receive the same results. The
access and error_logs in response #1 are from 1.2.1

> 5. And maybe the obvious question: try to specify --username & --password
> with your
> svn copy command, so you're really sure which account you're using. And
> check if
> this account is truly in the developers group.
>

Tried specifying the username and password and no change. I am pretty
confident that it is picking up the username correctly as it is reflected in
the access_logs.

> Lieven.
>
>
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Eric Eickhoff
> Sent: woensdag 6 juli 2005 17:01
> To: users@subversion.tigris.org
> Subject: Re: AuthzSVNAccessFile and branching
>
> Thanks Lieven for your info. Here are the log file entries:
>
>
> When I issue the following command:
>
> svn cp http://subv2.xyz.com/repos/landfill/trunk
> http://subv2.xyz.com/repos/landfill/branches/1.0 -m "1.0 branch"
>
> it will prompt me 3 times for username/password and then displays the
> following:
>
> subversion/libsvn_ra_dav/util.c:294: (apr_err=170001)
> svn: COPY of branches/1.0/trunk: authorization failed
> (http://subv2.xyz.com)
>
> The Apache error_log contains a series of these entries:
>
> [Wed Jul 06 09:41:21 2005] [error] [client 10.31.1.21] Access denied:
> '(null)' COPY landfill:/branches/1.0/trunk landfill:/branches/1.0/trunk
> [Wed
> Jul 06 09:41:24 2005] [error] [client 10.31.1.21] Access denied:
> '(null)' COPY landfill:/branches/1.0/trunk landfill:/branches/1.0/trunk
> [Wed
> Jul 06 09:41:27 2005] [error] [client 10.31.1.21] Access denied:
> '(null)' COPY landfill:/branches/1.0/trunk landfill:/branches/1.0/trunk
>
> This is happening on both my production Subversion server and a test
> subversion server (running subversion 1.1.3 -- all else the same).
>
> Again, commits work without a problem, so I know that I have write access
> to
> the repository. Any suggestions?
>
> "Lieven Govaerts" <lgo@mobsol.be> wrote in message
> news:20050706070617.683FA1980DA@europa.telenet-ops.be...
>> Eric,
>>
>> I don't have the solution for your problem, just some info that may
>> help you solve it.
>>
>> I have the same setup like yours in terms of components and
>> configuration, only using different versions:
>>
>> apache 2.0.54 on Suse
>> Subversion 1.2
>> Authentication against AD with mod_authz_ldap
>>
>> Our LDAP configuration is identical to yours.
>>
>> Our svnaccess.conf is identical to your first version.
>>
>> This configuration allows us to make branches without problem.
>>
>> Maybe you can post some relevant extracts of apache's error.log file?
>>
>> Lieven.
>>
>>
>>
>>
>> -----Original Message-----
>> From: news [mailto:news@sea.gmane.org] On Behalf Of Eric Eickhoff
>> Sent: dinsdag 5 juli 2005 20:46
>> To: users@subversion.tigris.org
>> Subject: AuthzSVNAccessFile and branching
>>
>> I am currently having an issue with doing a 'svn copy' command
>> (attempting to create a branch) and the way my access permissions are
>> set up in the AuthzSVNAccessFile.
>>
>> I am doing LDAP authentication without a problem, and can do commits
>> to the repository with no problem -- it is just when doing a svn copy,
>> I keep getting prompted for username and password and eventually
>> fails.
>>
>> Here are the details:
>>
>> Subversion 1.1.2 on RHEL v3
>> Authenticating against W2K Active Directory via mod_authz_ldap Apache
>> 2.0
>>
>> httpd.conf
>> -----------
>> <Location /svn>
>> DAV svn
>> SVNParentPath /svn
>> SVNIndexXSLT "/svnindex.xsl"
>> Options Indexes FollowSymLinks
>> AllowOverride None
>> order allow,deny
>> allow from all
>> AuthzLDAPMethod ldap
>> AuthzLDAPServer ldap1.xyz.com:389
>> AuthzLDAPBindDN "CN=subv,OU=XXX,DC=xyz, DC=com"
>> AuthzLDAPBindPassword "*******"
>> AuthzLDAPUserBase "ou=XXX,dc=xyz,dc=com"
>> AuthzLDAPUserKey sAMAccountName
>> AuthzLDAPUserScope subtree
>> AuthzSVNAccessFile /opt/subversion/svn-access-file
>> AuthType basic
>> AuthName "Subversion Access"
>> require valid-user
>> </Location>
>>
>> svn-access-file
>> --------------------
>> [groups]
>> developers = user1
>>
>> #to allow everyone read access
>> [/]
>>
>> * = r
>>
>> [landfill:/]
>> #allow all developers complete access
>> @developers = rw
>>
>>
>> Now, with this config, I can commit changes to the landfill repository
>> with no problem. However, if I try to create a branch (via svn copy),
>> it will fail after prompting for the username and password several
>> times (on the commit, it prompts once for the username/password and
>> them performs the commit). The apache error_log displays Access
>> Denied entries.
>>
>> If, I modify the following section of the svn-access-file as such:
>>
>> [/]
>>
>> * = rw
>>
>> OR
>>
>> [landfill:/]
>>
>> * = rw
>>
>> everything works without a hitch.
>>
>> Based on what I have read in the manual and online, the original
>> configurations above should work to allow everyone read access and the
>> developers group read/write access (including copies). Am I way off
>> base?
>>
>> Thanks for the help!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.9/39 - Release Date:
>> 4/07/2005
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.9/42 - Release Date:
>> 6/07/2005
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.9/42 - Release Date: 6/07/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.9/42 - Release Date: 6/07/2005

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jul 7 18:55:51 2005

This is an archived mail posted to the Subversion Users mailing list.