RE: Re[2]: administrate AuthzSVNAccessFile with many users and repositories

> > ... so you might run some kind of LDAP server for authentication.
> > This is usable by Apache through mod_ldap and you can use
> > whatever tool you usually use for user/group administration there.
>
> What's tool, for example?

Ahem... I meant 'tools for user administration under Windows'.

> chown works only for whole repository...

I have setup a mapping between LDAP user groups and repository
by using mod_perl and something similar to the following in
/etc/apache2/conf.d/subversion.conf

<Perl >
#!/usr/bin/perl

my $svnbase = '/data/svn/repository';

opendir(DIR, $svnbase)
  or die "Unable to open SVN repository base '$svnbase'\n";

while (my $project = readdir(DIR)) {
  next unless $project =~ /^[[:alnum:]_\-]+$/;
  $Location{"/repository/$project"} = {
    DAV => 'svn',
    SVNPath => "$svnbase/$project",

    AuthType => 'Basic',
    AuthName => "'Subversion repository for project $project'",
    AuthLDAPAuthoritative => 'on',
    AuthLDAPURL => 'ldap://.... ?sub?(objectClass=*)',
    AuthLDAPBindDN => '....
    AuthLDAPBindPassword => '...
    AuthLDAPGroupAttribute => 'member',
    AuthLDAPGroupAttributeIsDN => 'on',

    SSLRequireSSL => 1,

    [...]
    LimitExcept => {
      'GET PROPFIND OPTIONS NAME REPORT' => {
        Require => "group cn=$project-committers,ou=....",
      }
    },
    Limit => {
      'GET PROPFIND OPTIONS NAME REPORT' => {
        Require => "group cn=$project-readers,ou=...",
      }
    },
  };
}
</Perl>

This requires LDAP groups '<project>-committers' and ..-readers
for each project and one repository per project and yields
per-project access (and is what _we_ need).

This certainly can be tweaked to per-directory access and/or
a single repository.

Andre'

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 22 11:11:32 2005