[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: What are the benefits of using LDAP to authenticate users to SVN

From: Andreas Hasenack <andreas_at_mandriva.com.br>
Date: 2007-06-14 15:04:20 CEST

On Thu, Jun 14, 2007 at 08:56:01AM -0400, Andy Levy wrote:
> On 6/14/07, Andreas Hasenack <andreas@mandriva.com.br> wrote:
> > On Thu, Jun 14, 2007 at 06:14:46PM +0530, nikhil gupta wrote:
> > > Hi Andy,
> > >
> > > Thanks for the reply...
> > >
> > > But the benefits that you mentioned can also be achieved using the
> > > SSPI authentication, AFAIK. Are there any additional benefits that
> > > LDAP provides over SSPI?
> >
> > LDAP is not just authentication: you can store groups there, for
> > example, and use it as a source of authorizarion.
>
> You mean one can use LDAP groups in conjunction w/ SVN's per-directory
> authorization? Got a link? I need to figure out how to do exactly that
> for our next big SVN rollout (whenever that happens).

Well, two things:
- when using mod_dav, you can use "Require group" and have that group
  defined in ldap. But this is not for controlling svn's per-directory
  commit access
- we use a modified version of svnperms.py (the one that comes with subversion
  itself), that will be submitted upstream, that uses groups defined in LDAP. So
  the following works in svnperms.conf:

[global]
permissions-source = ldap

[ldap]
host = localhost
basedn = ou=Group,dc=example,dc=com
groups-filter-format = (&(objectClass=groupOfNames)(member=uid=$user,ou=People,dc=example,dc=com))
groups-name-attribute = cn
(...)
[repo-name]
/updates/[^/]+/kernel-2.6/.* = *() @kernel(add,remove,update) @updates(add,remove,update) @svnadmin(add,remove,update)
(...)

In this case, the kernel, updates and svnadmin groups are defined in
LDAP and consulted via that query. Only the ACLs themselves are still in
the conf file. The group definition in LDAP is a standard groupOfNames
entry in our case, but the query is configurable enough (we hope) so you
can use any type of entry.

This version of svnperms can be obtained here:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/soft/build_system/svnperms/trunk/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 14 15:04:59 2007

This is an archived mail posted to the Subversion Users mailing list.