[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz + ldap base groups

From: jehan procaccia <jehan.procaccia_at_int-evry.fr>
Date: 2006-10-15 16:15:29 CEST

Scott Lamb wrote:

> On Oct 13, 2006, at 8:59 AM, Jehan PROCACCIA wrote:
>
>> I've read in the archive that there's no way to get authz access
>> control based on ldap users/groups :-(
>> http://subversion.tigris.org/servlets/ReadMsg?
>> listName=users&msgNo=48229
>
>
> Not granular access control, anyway. For another repository I run,
> read access is public (no login necessary) and everyone with write
> access has it everywhere, so mod_authz_ldap does fine.
>
>> Scott Lamb concluded -> So I give up; I'll do this crudely. A cron
>> job to generate the flat file from LDAP queries
>>
>> Is it possible to get a copy of that script ?
>
>
> Sure. Inline below. Notes:
>
> * It's all hardcoded, but it wouldn't be hard to generalize it with a
> template file (by % string substitution on a dictionary),
> ConfigParser, and even fancy argument handling with OptionParser.
>
> * We're driving this from ActiveDirectory. If you're not,
> 'sAMAccountName' is definitely the wrong attribute, and you probably
> don't need the simple_bind_s. If you're not totally familiar with
> your ldap setup, you might play with the commandline tool
> "ldapsearch" to figure out the correct queries.
>
> * We run it from cron every half hour and have Nagios complain by the
> standard plugin check_file_age if the output file is over an hour
> old. On most failures, my script will die by exception before
> replacing the output file, so that's sufficient.
>
> * It can leave tempfiles around on failure. You can delete them all
> on system boot or switch TEMPFILE to an established temp directory.
> But it must be on the same filesystem as CONFFILE so rename() works.
>
>> Is there a better method now ?
>
>
> Not that I'm aware of. Please tell me if you find one.
>
>> thanks.
>
>
> #!/usr/bin/env python
> # vim: set filetype=python:
> """Generates AuthzSVNAccessFile from some LDAP queries.
>
> <http://svn.haxx.se/users/archive-2006-04/0929.shtml>
> <http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4.2>
> """
>
> import ldap
> import os
>
> __version__ = '$Revision: 208 $'
>
> CONFFILE = '/mnt/array1/svn/conf/access.conf'
> TEMPFILE = '%s.%d' % (CONFFILE, os.getpid()) # must be on same
> filesystem
>
> def getusers(conn, base, group_dn):
> """Returns a list of users from a DN of a group."""
> rv = []
> query_results = conn.search_s(base, ldap.SCOPE_ONELEVEL,
> filterstr='(memberOf=%s)' % group_dn,
> attrlist=['sAMAccountName'])
> for cn, attrs in query_results:
> usernames = attrs['sAMAccountName']
> assert len(usernames) == 1
> rv.append(usernames[0])
> return rv
>
> suffix = 'cn=Users,dc=corp,dc=example,dc=com'
> conn = ldap.initialize('ldap://corp.example.com')
> conn.simple_bind_s('cn=ldap_queries,' + suffix, 'foo')
>
> file(TEMPFILE, 'w').write(
> """# DO NOT EDIT THIS FILE.
> # It's autogenerated from access.conf.py, run by crontab.
>
> [groups]
> foo = """
> + ','.join(getusers(conn, suffix, 'cn=Foo,' + suffix))
> + """
> bar = """ + ','.join(getusers(conn, suffix, 'cn=Bar,' + suffix))
> + """
>
> [/a]
> @foo = rw
> @bar = r
>
> [/b]
> @foo = rw
> * = r
>
> [/c]
> @bar = rw
> """)
>
> # Use atomic replacement so the webserver never sees a half-written
> access file.
> os.rename(TEMPFILE, CONFFILE)
>
thanks for the script, I was hoping a perl script ... not familiar with
python, anyway it doesn't seem complex, I think I'll use that method as
soon as I'll have more than 3 users in my brand new subversion
repository. Indeed I intend to hopen it to our 100 users, and hence I
might need an automated way to generate ACL (authz file !) from ldap .
Thanks again, I'll keep in touch if ever subversion authz ever get ldap
queries working on day !?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Oct 15 16:16:23 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.