[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Need Help with Authentication / Authorization oddity

From: Paul <alabamapaul_at_gmail.com>
Date: 2006-01-13 23:06:51 CET

Hi,
We've been using Subversion for about 2.5 months, and I just recently
discovered a bit of a hole in our security.

** Background Info **
I'm running Subverion v1.2.3, Apache 2.0.55, WebSVN v1.61,
mod_auth_ldap v2.7 (from
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html)
on a Windows 2003 Sever - Standard Edition.

Authentication is working fine for WebSVN, the user must be a member
of the group, and if the user is not part of the group, they cannot
access WebSVN

However, for the SVN portion, even if the user is not a member of the
group, but has valid credentials, Apache or Subversion looks at the
authz.conf.

** Example **
My username is paul
With my web browser, I try to go to http://svn.server.com/WebSVN/ and
I am prompted for and provide my credentials. Mod_ayth_ldap determines
the credentials are valid, but I am not a member of the group
"CN=DL-HSV-SCM Users,OU=HSV", so I get a 401 Access Denied error.
If I try to go to http://svn.server.com/svn/Sandbox again I am
prompted for and provide my credentials. This time, however, I am
granted access to the Sandbox repository, even though my Apache config
has a require group... Line

** Questions **
Is this expected behavior ?
Do I have Apache mis configured ?
What can I do to correct this ?
I thought the authz file would only be used if the Apache
authentication succeeded.

I suspect there is something missing in my httpd.conf file, but I
can't figure out what.

** Plea for help ;-) **
Any help is greatly appreciated.

Thanks,
Paul

** Various Configuration Files **
The SVN portion of my httpd.conf looks like this:
-------------------------------------------------------------------
  <Location /svn>
    DAV svn
    SVNParentPath D:\SVN-Data

    AuthzSVNAccessFile D:\SVN-Conf\authz\authz.conf

    AuthType Basic
    AuthName "Subversion Repositories"
    AuthLDAPAuthoritative ON
    Bind_Tries 5
    LDAP_Debug Off
    LDAP_Server our.ldap.server.com
    LDAP_Port 389
    Base_DN "DC=corp,DC=server,DC=com"
    Bind_DN "SomeDN"
    Bind_Pass "********"
    UID_Attr sAMAccountName
    Group_Attr member
    Require group "CN=DL-HSV-SCM Users,OU=HSV"

    # Use our custom error handler for 401 (Access Denied) errors
    ErrorDocument 401 /error/hsv-svn-error.pl
  </Location>

  Alias /WebSVN/ "C:/WebSVN/"
  <Directory "C:/WebSVN">
    AuthType Basic
    AuthName "Subversion Repositories (WebSVN)"
    AuthLDAPAuthoritative ON
    Bind_Tries 5
    LDAP_Debug Off
    LDAP_Server our.ldap.server.com
    LDAP_Port 389
    Base_DN "DC=corp,DC=server,DC=com"
    Bind_DN "SomeDN"
    Bind_Pass "********"
    UID_Attr sAMAccountName
    Group_Attr member
    Require group "CN=DL-HSV-SCM Users,OU=HSV"
  </Directory>
-------------------------------------------------------------------

My authz.conf file looks like this:
-------------------------------------------------------------------
########################################################
## $Id: authz.conf 18 2006-01-05 20:00:30Z tom $
##
## Access control list for Subversion Repositories
##
########################################################

########################################################
## GROUPS: This section defines groups that can appear
## in any ACL
########################################################
[groups]
svn-admins = tom, dick, harry

########################################################
## Repository: DEFAULT
## This section conatins the default setting for all
## that are not explicitly defined in this file.
## By default, grant read access to all repositories
## for all users, and grant read-write access for admins
########################################################
[/]
@svn-admins = rw
* = r

########################################################
## Repository: SVN-Conf
## This repository is used for maintaining Subversion
## Configuration information ## such as this file,
## mailer file, etc.
########################################################
[SVN-Conf:/]
@svn-admins = rw
* =

########################################################
## Repository: Sandbox
## This repository is used as a sandbox for test and
## experimentation
########################################################
[Sandbox:/]
* = rw

-------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Jan 14 07:35:44 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.