[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

HowTo for LDAP authentication combined with per-file authorization on files / directories within a svn repository ?

From: Edward Bosco <ebosco_at_prologic-inc.com>
Date: 2006-04-07 17:36:30 CEST

I want to control what files are downloaded to a subversion repository
client by the user name and which group a file is associated with. All
the various files are in a common repository. The files should be
associated with groups of LDAP-listed users.

All valid users are permitted access to the repository, but not all
valid users should see all files.
==

An example would be:
User billg is a member of group developers in LDAP Active Directory.

File doitnow.exe is a member of the developer group and resides at
\core\bin.

File doitlater.exe is a member of the tools group and also resides at
\core\bin within the repository.

On a subversion checkout or update, user billg should only download the
doitnow.exe to his working copy directory on the client machine. File
doitlater.exe should not be present in his working copy.

==

The subversion server runs Debian Sarge with Apache 2.0.55 and SVN
1.3.0; it hosts a subversion repository at
/var/repos/repositories/testrepo.

Modules mod_ldap.so, mod_auth_ldap.so, mod_dav_svn.so and
mod_authz_svn.so are loaded within the /etc/apache2/mods-enabled
directory.

Currently can performing authentication via LDAP using an Active
Directory LDAP source. I'm trying to perform file level authorization
via an arbitrary groups or user list of the various users listed in LDAP
or some replicated file.

==

If I attempt webspace controls of <Location> or <Files> to the virtual
filesystem presented by the svn repository, I obtain a '403', Forbidden,
error.

If I use LDAP authentication on a valid user id, and use the
/etc/apache2/mod-enabled/dav_svn.conf file and
/etc/apache2/dav_svn.authz, I get access to the whole repository, and
the dav_svn.conf or .authz files have no effect on controlling the
access to particular files.

To make it work I have to block out LDAP and use a htpasswd2 generated
password list. I have to list the files within the
/etc/apache2/dav_svn.authz file.

I'd like to have the 'and' of [LDAP authentication OK] + [File
name:group1] to allow access to a file such that we download to a client
only those permitted files.

==

Anybody do anything close to this?

Thanks.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Apr 7 17:53:06 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.