Re: mod_authz_svn: LDAP-based groups?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-25 19:40:16 CEST

On Apr 25, 2006, at 12:24 AM, Scott Lamb wrote:
> Is it possible to have path-based authorization based on LDAP
> groups rather than ones hardcoded into the AuthzSVNAccessFile? I
> see from the manual [1] how to do the latter, but maintaining
> *huge* lists of users in a flat file would be hard for us. It'd be
> *much* better to just delegate these lists to our IT department's
> ActiveDirectory database, which already has the groups we're
> looking for.

Okay, this sucks. It looks like:

1) mod_auth_ldap doesn't have a way to pass along group information
to mod_authz_*. At least as of httpd-2.0.x head, it does all its
group checking right in mod_auth_ldap_auth_checker.

2) there doesn't even seem to be a framework for Apache
authentication modules to do so.

3) mod_authz_svn doesn't even do the group stuff; it passes it along
to svn_repos_authz_*. There'd need to be a way to pass in a callback
or existing groups or _something_.

So I give up; I'll do this crudely. A cron job to generate the flat
file from LDAP queries and a Nagios monitoring point to complain if
it's out of date.

If someone more ambitious than me took on doing this properly, I and
probably others would be quite happy.

Regards,
Scott

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Tue Apr 25 19:41:49 2006

This message: [ Message body ]
Next message: Yves Bergeron: "Path order in svn log xml output"
Previous message: Garrett Rooney: "Re: https: access gives: Can't set position pointer in file"
In reply to: Scott Lamb: "mod_authz_svn: LDAP-based groups?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]