On Thu, Jun 14, 2007 at 08:56:01AM -0400, Andy Levy wrote:
> On 6/14/07, Andreas Hasenack <email@example.com> wrote:
> > On Thu, Jun 14, 2007 at 06:14:46PM +0530, nikhil gupta wrote:
> > > Hi Andy,
> > >
> > > Thanks for the reply...
> > >
> > > But the benefits that you mentioned can also be achieved using the
> > > SSPI authentication, AFAIK. Are there any additional benefits that
> > > LDAP provides over SSPI?
> > LDAP is not just authentication: you can store groups there, for
> > example, and use it as a source of authorizarion.
> You mean one can use LDAP groups in conjunction w/ SVN's per-directory
> authorization? Got a link? I need to figure out how to do exactly that
> for our next big SVN rollout (whenever that happens).
Well, two things:
- when using mod_dav, you can use "Require group" and have that group
defined in ldap. But this is not for controlling svn's per-directory
- we use a modified version of svnperms.py (the one that comes with subversion
itself), that will be submitted upstream, that uses groups defined in LDAP. So
the following works in svnperms.conf:
permissions-source = ldap
host = localhost
basedn = ou=Group,dc=example,dc=com
groups-filter-format = (&(objectClass=groupOfNames)(member=uid=$user,ou=People,dc=example,dc=com))
groups-name-attribute = cn
/updates/[^/]+/kernel-2.6/.* = *() @kernel(add,remove,update) @updates(add,remove,update) @svnadmin(add,remove,update)
In this case, the kernel, updates and svnadmin groups are defined in
LDAP and consulted via that query. Only the ACLs themselves are still in
the conf file. The group definition in LDAP is a standard groupOfNames
entry in our case, but the query is configurable enough (we hope) so you
can use any type of entry.
This version of svnperms can be obtained here:
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Thu Jun 14 15:04:59 2007