Scott Lamb wrote:
> On Oct 13, 2006, at 8:59 AM, Jehan PROCACCIA wrote:
>> I've read in the archive that there's no way to get authz access
>> control based on ldap users/groups :-(
> Not granular access control, anyway. For another repository I run,
> read access is public (no login necessary) and everyone with write
> access has it everywhere, so mod_authz_ldap does fine.
>> Scott Lamb concluded -> So I give up; I'll do this crudely. A cron
>> job to generate the flat file from LDAP queries
>> Is it possible to get a copy of that script ?
> Sure. Inline below. Notes:
> * It's all hardcoded, but it wouldn't be hard to generalize it with a
> template file (by % string substitution on a dictionary),
> ConfigParser, and even fancy argument handling with OptionParser.
> * We're driving this from ActiveDirectory. If you're not,
> 'sAMAccountName' is definitely the wrong attribute, and you probably
> don't need the simple_bind_s. If you're not totally familiar with
> your ldap setup, you might play with the commandline tool
> "ldapsearch" to figure out the correct queries.
> * We run it from cron every half hour and have Nagios complain by the
> standard plugin check_file_age if the output file is over an hour
> old. On most failures, my script will die by exception before
> replacing the output file, so that's sufficient.
> * It can leave tempfiles around on failure. You can delete them all
> on system boot or switch TEMPFILE to an established temp directory.
> But it must be on the same filesystem as CONFFILE so rename() works.
>> Is there a better method now ?
> Not that I'm aware of. Please tell me if you find one.
> #!/usr/bin/env python
> # vim: set filetype=python:
> """Generates AuthzSVNAccessFile from some LDAP queries.
> import ldap
> import os
> __version__ = '$Revision: 208 $'
> CONFFILE = '/mnt/array1/svn/conf/access.conf'
> TEMPFILE = '%s.%d' % (CONFFILE, os.getpid()) # must be on same
> def getusers(conn, base, group_dn):
> """Returns a list of users from a DN of a group."""
> rv = 
> query_results = conn.search_s(base, ldap.SCOPE_ONELEVEL,
> filterstr='(memberOf=%s)' % group_dn,
> for cn, attrs in query_results:
> usernames = attrs['sAMAccountName']
> assert len(usernames) == 1
> return rv
> suffix = 'cn=Users,dc=corp,dc=example,dc=com'
> conn = ldap.initialize('ldap://corp.example.com')
> conn.simple_bind_s('cn=ldap_queries,' + suffix, 'foo')
> file(TEMPFILE, 'w').write(
> """# DO NOT EDIT THIS FILE.
> # It's autogenerated from access.conf.py, run by crontab.
> foo = """
> + ','.join(getusers(conn, suffix, 'cn=Foo,' + suffix))
> + """
> bar = """ + ','.join(getusers(conn, suffix, 'cn=Bar,' + suffix))
> + """
> @foo = rw
> @bar = r
> @foo = rw
> * = r
> @bar = rw
> # Use atomic replacement so the webserver never sees a half-written
> access file.
> os.rename(TEMPFILE, CONFFILE)
thanks for the script, I was hoping a perl script ... not familiar with
python, anyway it doesn't seem complex, I think I'll use that method as
soon as I'll have more than 3 users in my brand new subversion
repository. Indeed I intend to hopen it to our 100 users, and hence I
might need an automated way to generate ACL (authz file !) from ldap .
Thanks again, I'll keep in touch if ever subversion authz ever get ldap
queries working on day !?
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Sun Oct 15 16:16:23 2006