[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_authz_svn: LDAP-based groups?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-25 09:24:54 CEST

Is it possible to have path-based authorization based on LDAP groups
rather than ones hardcoded into the AuthzSVNAccessFile? I see from
the manual [1] how to do the latter, but maintaining *huge* lists of
users in a flat file would be hard for us. It'd be *much* better to
just delegate these lists to our IT department's ActiveDirectory
database, which already has the groups we're looking for.

mod_auth_ldap has a concept of groups built in [2], which seems to
be a standard concept in all the Apache authenticators. You can just
do stuff like:

     require group cn=Administrators, o=Airius

What I'd like to do is something like this in the httpd configuration:

     <Location /svn>
         DAV svn
         SVNPath /var/www/svn
         AuthType Basic
         AuthName "Build Repository"
         AuthLDAPEnabled on
         AuthLDAPURL ldap://example.com/dc=example,dc=com?
sAMAccountName?one
         AuthLDAPBindDN cn=queries,ou=Users,dc=example,dc=com
         AuthLDAPBindPassword "secret"
         Require valid-user
         AuthzSVNAccessFile /var/www/svn/conf/access.conf
     </Location>

and something like this in the access file:

     [groups]
     foo-committers = 'cn=foo-committers,ou=Groups,dc=example,dc=com'
     foo-reviewers = 'cn=foo-reviewers,ou=Groups,dc=example,dc=com'

     [/foo]
     @foo-committers = rw
     @foo-reviewers = r

or even just:

     [/foo]
     @'cn=foo-committers,ou=Groups,dc=example,dc=com' = rw
     @'cn=foo-reviewers,ou=Groups,dc=example,dc=com' = rw

Is this possible?

Regards,
Scott

[1] - http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-
sect-4.4.2
[2] - http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#reqgroup

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 25 09:25:17 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.