[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

ldap auth with file auth for local user over https

From: Dusty Yates <dusty.yates_at_gmail.com>
Date: Tue, 8 Jan 2008 17:44:12 -0600

I have ldap setup and working great. I want to allow a local,
svnlocal, user on the svn server to access the repository (read-only).

I created an authz file:

* =
svnlocal = r

Then made the htpassword for the svnlocal account.

svnlocal:(omitted but working)

I changed my subversion.conf in the following ways:
* added AuthzSVNAccessFile line
* added file to AuthBasicProvider line
* added AuthUserFile line
* added require user line
so the section for this repository looks like (minor obfuscation changes):

<Location /repo>
   DAV svn
   SVNPath /svn/repo
   AuthzSVNAccessFile /svn/repo/conf/authz
   AuthType basic
   AuthName "svn repository"
   AuthBasicProvider ldap file
   AuthLDAPURL "ldap://company.com:port/dc=company,dc=com?sAMAccountName"
   AuthLDAPBindDN "cn=bnd.apache,ou=bind accounts,ou=ldap
authentication,ou=security groups and accounts,dc=company,dc=com"
   AuthLDAPBindPassword (omitted but working)
   AuthzLDAPAuthoritative on
   require ldap-group cn=svnadmins,OU=Distribution
   require ldap-group cn=engineers,OU=Distribution
   AuthUserFile /etc/httpd/conf/htpasswd.repo
   require user svnlocal

At first blush I believed this to be working - engineers and admins
can connect RW to the repository over https, and the local user can as
HOWEVER: any other user can as well - even if they're not in the
groups specified. This restriction worked prior to my changes.
How do I avoid having the [/] *= in my authz? without it even the
users auth'ed by ldap cannot write to the repository.

I'm finding great docs on describing each directive, but I think Iam
missing something in the interaction between authorization and
Is the scheme I've described possible? Advisable?

Thanks in advance for any advice or help.

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-01-09 00:44:30 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.