[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

LDAP+authz

From: Dirk Hoffmann <dh.discuss_at_web.de>
Date: 2005-12-09 14:38:55 CET

 Hi,

I'm really desperate about the following problem.

I'm running svn inside as an apache module.

I want to provide the users with private areas inside a repository.
Private means that only the user who autenticated him(her)self is
allowed to access his(her) area, no matter if for reading or for
writing. Private areas should be realized as subtrees inside the
repository the paths of which start with the user's id e.G.:

http://server/repo/private
 |-- tom
 | `-- <tom's files>
 |-- susan
 : `-- <susan's files>

The authentication data resides in an LDAP database.

So far this could be achieved with the following kind of sections in
apache's configuration file:

<Location /repo/private/tom>
  DAV svn

  SVNPath /local/path/to/repo
  SVNAutoversioning on

  AuthName "Tom's private area"

  # LDAP based authentication
  AuthType Basic
  AuthLDAPURL ldap://server:389/ou=Users,dc=myCompany,dc=de?userid?sub
  AuthLDAPBindDN cn=ldapadmin,dc=myCompany,dc=de
  AuthLDAPBindPassword secret
  AuthLDAPGroupAttribute member
  AuthLDAPGroupAttributeIsDN on

  Require user tom
</Location>

The same for Susan and all the other user's

The problem with this approach is that such a section needs to be
provided for every user in the ldap database. That would mean to somehow
shutdown apache change the configuration file and restart apache if a
user gets added or removed.

Using mod_authz_svn may reduce the problem as the access file can be
changed without having to restart apache. But you still have to provide
some means to keep the access file in sync with the ldap-database.

So what would be needed is a kind of mod_ldap_authz_svn.

Is something of that sort on the way or does somebody have an idea for a
different approach?

Thanks in advance for sharing your thougths about this.

Best Regards,
Dirk

 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 9 14:49:57 2005

This is an archived mail posted to the Subversion Users mailing list.