I have ldap setup and working great. I want to allow a local,
svnlocal, user on the svn server to access the repository (read-only).
I created an authz file:
[/]
* =
svnlocal = r
Then made the htpassword for the svnlocal account.
svnlocal:(omitted but working)
I changed my subversion.conf in the following ways:
* added AuthzSVNAccessFile line
* added file to AuthBasicProvider line
* added AuthUserFile line
* added require user line
so the section for this repository looks like (minor obfuscation changes):
<Location /repo>
DAV svn
SVNPath /svn/repo
AuthzSVNAccessFile /svn/repo/conf/authz
SSLRequireSSL
AuthType basic
AuthName "svn repository"
AuthBasicProvider ldap file
AuthLDAPURL "ldap://company.com:port/dc=company,dc=com?sAMAccountName"
AuthLDAPBindDN "cn=bnd.apache,ou=bind accounts,ou=ldap
authentication,ou=security groups and accounts,dc=company,dc=com"
AuthLDAPBindPassword (omitted but working)
AuthzLDAPAuthoritative on
require ldap-group cn=svnadmins,OU=Distribution
Lists,OU=IBS,DC=company,DC=com
require ldap-group cn=engineers,OU=Distribution
Lists,OU=IBS,DC=company,DC=com
AuthUserFile /etc/httpd/conf/htpasswd.repo
require user svnlocal
</Location>
At first blush I believed this to be working - engineers and admins
can connect RW to the repository over https, and the local user can as
well.
HOWEVER: any other user can as well - even if they're not in the
groups specified. This restriction worked prior to my changes.
How do I avoid having the [/] *= in my authz? without it even the
users auth'ed by ldap cannot write to the repository.
I'm finding great docs on describing each directive, but I think Iam
missing something in the interaction between authorization and
authentication.
Is the scheme I've described possible? Advisable?
Thanks in advance for any advice or help.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-01-09 00:44:30 CET