[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Issue with LDAP/Apache setup and SVN

From: Jones, Nathan <nathan.jones_at_thalesgroup.com.au>
Date: 2006-12-15 04:59:55 CET

Hi all,

I've got a Redhat Linux Enterprise 3 VM, running Subversion 1.4.2 tied into
an Apache 2 server, version 2.0.46.

We have one directory where we store all our repositories which we serve all
of them from.

I'm in the process of setting up our environment to authenticate against our
Active Directory server, and we've been using "Require group <blah>" to
control access to various repositories. Thus far, everything has gone well.
We have location directives for the base /svn root and then one for each
/svn/<repname>, allowing some repositories to not have permissions if they
so choose.

As part of our research, I was asked to implement permissions for a
particular folder within a repository. I repeated the process and created
another location directive for that directory, authenticating against
another group. The structure is something like this:
/svn (Requires group Subversion Users)
/svn/testrep (Requires GroupA)
/svn/testrep/hidden (Requires GroupB)

For testing purposes, GroupB doesn't exist, so I shouldn't have access to
the "hidden" folder. If I browse the repository with using a browser I
can't access the hidden folder as expected, nor can I browse it using
Tortoise. So far so good. I then did a full checkout of the repository,
only to have it pull down everything, hidden folder inclusive, onto my PC.
From there on I could do whatever I liked to read or edit the files in that
folder, which would not be acceptable when on the live system. I can not
update the directory directly, nor can I commit any of the modified files
which is a good thing. Ultimately though, they shouldn't have access to the
folder at all. I've proposed the idea of a separate repository, but both I
and my colleague feel if we could get this working it's much more flexible.

The question I have is, where does this problem lay? I've had a search
around on terms I can think of and came up with nothing. Is it a bug? Is
it just not designed to do this? Should it be implemented a different way?
Any help would be most appreciated.


Nathan Jones
Software Engineer

Thales Australia
20-22 Stirling Hwy
Ph: +61 8 93338834
Fx: +61 8 93338889
Mb: +61 (0)438 901669
Email: nathan.jones@thalesgroup.com.au
www.thalesgroup.com.au <http://www.thalesgroup.com.au>

This Email may contain confidential and/or privileged information and is intended
solely for the addressee(s) named. If you have received this information in error, or
are advised that you have been posted this Email by accident, please notify the
sender by return Email, do not redistribute it, delete the Email and keep no copies.
Received on Fri Dec 15 15:49:30 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.