[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AuthLDAP + AuthzSVNAccessFile

From: ossi petz <ossipetz_at_hallo.ms>
Date: 2007-07-20 09:16:36 CEST

hallo

well it looks like some 'weird' plan

the require user statement belongs to apache auth. not subversion. once
ldap auth is done the user is passed to subversion and from here you
will need to restrict repository access with your .SVNAccessFile file.

users that may fail apache auth still have anonymous access. this is
configured with the "* = r" line. telling subversion: anyone has read
access.

if you dont want anyone to be able to read you repos try it like this:

# read access for the repository root (good if mutliple repos exist)?
# if not use: * =
[/]
* = r

[repository1:/]
@members=rw
manuel = r
* =

hope this is of any help
regards

op

Manuel Vacelet schrieb:
> Hello,
>
> I'm trying to set up LDAP authentication of users on my server with
> AuthLDAP (auth_ldap_module). It works great but it seems
> AuthzSVNAccessFile by pass the restrictions set with "Require user"
> directive.
>
> Actually I want to restrict the read possibility of the subversion
> repositories to a list of people (thanks to "Require user") and let
> the possibility to each repository to define its own rules (thanks to
> "AuthzSVNAccessFile"). But as soon as there is a '* = r' in the
> AuthzSVNAccessFile, the "Require user" is no longer taken in account
> (each repository can restrict access to its data but cannot "expose"
> it more). Note: it doesn't work even if I force "statisfy all".
>
> Here is my <Location> for one repository:
>
> <Location /svnroot/code>
> DAV svn
> SVNPath /var/lib/svnroot/code
> AuthType Basic
> AuthName "Subversion Authorization"
>
> AuthLDAPUrl ldap://localhost:389/ou=people,dc=example,dc=com
> AuthLDAPBindDN "ou=people,dc=example,dc=com"
> require user "manuel"
> AuthzSVNAccessFile /var/lib/svnroot/code/.SVNAccessFile
> </Location>
>
> I there a way to force "Require" to apply ?
>
> -- Manuel

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 20 09:18:26 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.