[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN and LDAP

From: James CE Johnson <jcej_at_tragus.org>
Date: Fri, 18 Apr 2008 11:23:15 -0400 (EDT)

> On Fri, Apr 18, 2008 at 10:21 AM, James CE Johnson <jcej_at_tragus.org>
> wrote:
>> Hey Adam,
>>
>> This got a bit wordy as I was writing it up so I dumped it on my
>> too-often
>> neglected blog:
>> http://pteropus.blogspot.com/2008/04/securing-subversion-via-ldap.html
>
> Wow, that is detailed! Thanks for the post - I'm hoping to move our
> SVN authentication to LDAP this year and it would be terrific if I
> could move the authorization into LDAP as well. It means less work for
> me - I'm the SVN admin but someone else does LDAP :)

Same here. In fact, I'm working with our group to figure out exactly how
we're going to manage (and hopefully delegate) the LDAP side of things.

> 2 questions:
>
> 1) How is performance, as compared to using SVN's built-in Authz
> stuff? Faster? Slower? I know a lot of path-based checks can cause
> some operations to be slower.

I haven't tested the two against one another. With LDAP's caching we can
take the lookup and network hits pretty much out of the picture. My gut
would say that the built-in stuff is probably faster *but* from past
experience I know that it inspects its auth file with every request -- I'm
sure it doesn't read the file every time but it at least has to do a
timestamp check. LDAP integration is a fundamental requirement for us,
though, so the built-in was never an option.

> 2) If you have a change to path access (which groups can access which
> paths), doesn't this require a restart of Apache?

I believe so. That has always been my pattern of action. I will test any
changes in my dev zone then replicate that in production and bounce the
server off-hours. Now that you've made me think about it I'll have to go
test that again :-)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-04-18 17:15:30 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.