On Oct 13, 2006, at 8:59 AM, Jehan PROCACCIA wrote:
> I've read in the archive that there's no way to get authz access
> control based on ldap users/groups :-(
> http://subversion.tigris.org/servlets/ReadMsg?
> listName=users&msgNo=48229
Not granular access control, anyway. For another repository I run,
read access is public (no login necessary) and everyone with write
access has it everywhere, so mod_authz_ldap does fine.
> Scott Lamb concluded -> So I give up; I'll do this crudely. A cron
> job to generate the flat file from LDAP queries
>
> Is it possible to get a copy of that script ?
Sure. Inline below. Notes:
* It's all hardcoded, but it wouldn't be hard to generalize it with a
template file (by % string substitution on a dictionary),
ConfigParser, and even fancy argument handling with OptionParser.
* We're driving this from ActiveDirectory. If you're not,
'sAMAccountName' is definitely the wrong attribute, and you probably
don't need the simple_bind_s. If you're not totally familiar with
your ldap setup, you might play with the commandline tool
"ldapsearch" to figure out the correct queries.
* We run it from cron every half hour and have Nagios complain by the
standard plugin check_file_age if the output file is over an hour
old. On most failures, my script will die by exception before
replacing the output file, so that's sufficient.
* It can leave tempfiles around on failure. You can delete them all
on system boot or switch TEMPFILE to an established temp directory.
But it must be on the same filesystem as CONFFILE so rename() works.
> Is there a better method now ?
Not that I'm aware of. Please tell me if you find one.
> thanks.
#!/usr/bin/env python
# vim: set filetype=python:
"""Generates AuthzSVNAccessFile from some LDAP queries.
<http://svn.haxx.se/users/archive-2006-04/0929.shtml>
<http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4.2>
"""
import ldap
import os
__version__ = '$Revision: 208 $'
CONFFILE = '/mnt/array1/svn/conf/access.conf'
TEMPFILE = '%s.%d' % (CONFFILE, os.getpid()) # must be on same
filesystem
def getusers(conn, base, group_dn):
"""Returns a list of users from a DN of a group."""
rv = []
query_results = conn.search_s(base, ldap.SCOPE_ONELEVEL,
filterstr='(memberOf=%s)' % group_dn,
attrlist=['sAMAccountName'])
for cn, attrs in query_results:
usernames = attrs['sAMAccountName']
assert len(usernames) == 1
rv.append(usernames[0])
return rv
suffix = 'cn=Users,dc=corp,dc=example,dc=com'
conn = ldap.initialize('ldap://corp.example.com')
conn.simple_bind_s('cn=ldap_queries,' + suffix, 'foo')
file(TEMPFILE, 'w').write(
"""# DO NOT EDIT THIS FILE.
# It's autogenerated from access.conf.py, run by crontab.
[groups]
foo = """
+ ','.join(getusers(conn, suffix, 'cn=Foo,' + suffix))
+ """
bar = """ + ','.join(getusers(conn, suffix, 'cn=Bar,' + suffix))
+ """
[/a]
@foo = rw
@bar = r
[/b]
@foo = rw
* = r
[/c]
@bar = rw
""")
# Use atomic replacement so the webserver never sees a half-written
access file.
os.rename(TEMPFILE, CONFFILE)
--
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 13 23:12:32 2006