[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re[4]: administrate AuthzSVNAccessFile with many users and repositories

From: Sergey A. Kobzar <ksa_at_uaic.net>
Date: 2005-07-22 11:12:20 CEST

Hello André,

Friday, July 22, 2005, 12:04:38 PM, you wrote:

>> > ... so you might run some kind of LDAP server for authentication.
>> > This is usable by Apache through mod_ldap and you can use
>> > whatever tool you usually use for user/group administration there.
>>
>> What's tool, for example?

> Ahem... I meant 'tools for user administration under Windows'.

:)

>> chown works only for whole repository...

> I have setup a mapping between LDAP user groups and repository
> by using mod_perl and something similar to the following in
> /etc/apache2/conf.d/subversion.conf

> <Perl >
> #!/usr/bin/perl

> my $svnbase = '/data/svn/repository';

> opendir(DIR, $svnbase)
> or die "Unable to open SVN repository base '$svnbase'\n";

> while (my $project = readdir(DIR)) {
> next unless $project =~ /^[[:alnum:]_\-]+$/;
> $Location{"/repository/$project"} = {
> DAV => 'svn',
> SVNPath => "$svnbase/$project",

> AuthType => 'Basic',
> AuthName => "'Subversion repository for project $project'",
> AuthLDAPAuthoritative => 'on',
> AuthLDAPURL => 'ldap://.... ?sub?(objectClass=*)',
> AuthLDAPBindDN => '....
> AuthLDAPBindPassword => '...
> AuthLDAPGroupAttribute => 'member',
> AuthLDAPGroupAttributeIsDN => 'on',

> SSLRequireSSL => 1,

> [...]
> LimitExcept => {
> 'GET PROPFIND OPTIONS NAME REPORT' => {
> Require => "group cn=$project-committers,ou=....",
> }
> },
> Limit => {
> 'GET PROPFIND OPTIONS NAME REPORT' => {
> Require => "group cn=$project-readers,ou=...",
> }
> },
> };
> }
> </Perl>

> This requires LDAP groups '<project>-committers' and ..-readers
> for each project and one repository per project and yields
> per-project access (and is what _we_ need).

> This certainly can be tweaked to per-directory access and/or
> a single repository.

Thanks! It's very useful for me! I'll try it.

> Andre'

-- 
Best regards,
 Sergey                            mailto:ksa@uaic.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 22 11:19:50 2005

This is an archived mail posted to the Subversion Users mailing list.