[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Issue with LDAP/Apache setup and SVN

From: Jones, Nathan <nathan.jones_at_thalesgroup.com.au>
Date: 2006-12-15 06:09:33 CET

> Hi all,
>
> I've got a Redhat Linux Enterprise 3 VM, running Subversion 1.4.2 tied
> into an Apache 2 server, version 2.0.46.
>
> We have one directory where we store all our repositories which we serve
> all of them from.
>
> I'm in the process of setting up our environment to authenticate against
> our Active Directory server, and we've been using "Require group <blah>"
> to control access to various repositories. Thus far, everything has gone
> well. We have location directives for the base /svn root and then one for
> each /svn/<repname>, allowing some repositories to not have permissions if
> they so choose.
>
> As part of our research, I was asked to implement permissions for a
> particular folder within a repository. I repeated the process and created
> another location directive for that directory, authenticating against
> another group. The structure is something like this:
> /svn (Requires group Subversion Users)
> /svn/testrep (Requires GroupA)
> /svn/testrep/hidden (Requires GroupB)
>
> For testing purposes, GroupB doesn't exist, so I shouldn't have access to
> the "hidden" folder. If I browse the repository with using a browser I
> can't access the hidden folder as expected, nor can I browse it using
> Tortoise. So far so good. I then did a full checkout of the repository,
> only to have it pull down everything, hidden folder inclusive, onto my PC.
> From there on I could do whatever I liked to read or edit the files in
> that folder, which would not be acceptable when on the live system. I can
> not update the directory directly, nor can I commit any of the modified
> files which is a good thing. Ultimately though, they shouldn't have
> access to the folder at all. I've proposed the idea of a separate
> repository, but both I and my colleague feel if we could get this working
> it's much more flexible.
>
> The question I have is, where does this problem lay? I've had a search
> around on terms I can think of and came up with nothing. Is it a bug? Is
> it just not designed to do this? Should it be implemented a different
> way? Any help would be most appreciated.
>
> Cheers,
>
> Nathan Jones
> Software Engineer
>
> Thales Australia
> 20-22 Stirling Hwy
> NEDLANDS WA 6009
> Ph: +61 8 93338834
> Fx: +61 8 93338889
> Mb: +61 (0)438 901669
> Email: nathan.jones@thalesgroup.com.au
> <mailto:nathan.jones@thalesgroup.com.au>
> www.thalesgroup.com.au <http://www.thalesgroup.com.au>
>

DISCLAIMER:---------------------------------------------------------------------------
This Email may contain confidential and/or privileged information and is intended
solely for the addressee(s) named. If you have received this information in error, or
are advised that you have been posted this Email by accident, please notify the
sender by return Email, do not redistribute it, delete the Email and keep no copies.
--------------------------------------------------------------------------------------
Received on Fri Dec 15 06:10:16 2006

This is an archived mail posted to the Subversion Users mailing list.