[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn: LDAP-based groups?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-25 19:40:16 CEST

On Apr 25, 2006, at 12:24 AM, Scott Lamb wrote:
> Is it possible to have path-based authorization based on LDAP
> groups rather than ones hardcoded into the AuthzSVNAccessFile? I
> see from the manual [1] how to do the latter, but maintaining
> *huge* lists of users in a flat file would be hard for us. It'd be
> *much* better to just delegate these lists to our IT department's
> ActiveDirectory database, which already has the groups we're
> looking for.

Okay, this sucks. It looks like:

1) mod_auth_ldap doesn't have a way to pass along group information
to mod_authz_*. At least as of httpd-2.0.x head, it does all its
group checking right in mod_auth_ldap_auth_checker.

2) there doesn't even seem to be a framework for Apache
authentication modules to do so.

3) mod_authz_svn doesn't even do the group stuff; it passes it along
to svn_repos_authz_*. There'd need to be a way to pass in a callback
or existing groups or _something_.

So I give up; I'll do this crudely. A cron job to generate the flat
file from LDAP queries and a Nagios monitoring point to complain if
it's out of date.

If someone more ambitious than me took on doing this properly, I and
probably others would be quite happy.

Regards,
Scott

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 25 19:41:49 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.