[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN and LDAP

From: <kmradke_at_rockwellcollins.com>
Date: Fri, 18 Apr 2008 10:22:56 -0500

"James CE Johnson" <jcej_at_tragus.org> wrote on 04/18/2008 10:23:15 AM:
> > On Fri, Apr 18, 2008 at 10:21 AM, James CE Johnson <jcej_at_tragus.org>
> > wrote:
> >> Hey Adam,
> >>
> >> This got a bit wordy as I was writing it up so I dumped it on my
> >> too-often
> >> neglected blog:
> >>
http://pteropus.blogspot.com/2008/04/securing-subversion-via-ldap.html
> >
> > Wow, that is detailed! Thanks for the post - I'm hoping to move our
> > SVN authentication to LDAP this year and it would be terrific if I
> > could move the authorization into LDAP as well. It means less work for
> > me - I'm the SVN admin but someone else does LDAP :)
>
> Same here. In fact, I'm working with our group to figure out exactly how
> we're going to manage (and hopefully delegate) the LDAP side of things.
>
> > 2 questions:
> >
> > 1) How is performance, as compared to using SVN's built-in Authz
> > stuff? Faster? Slower? I know a lot of path-based checks can cause
> > some operations to be slower.
>
> I haven't tested the two against one another. With LDAP's caching we can
> take the lookup and network hits pretty much out of the picture. My gut
> would say that the built-in stuff is probably faster *but* from past
> experience I know that it inspects its auth file with every request --
I'm
> sure it doesn't read the file every time but it at least has to do a
> timestamp check. LDAP integration is a fundamental requirement for us,
> though, so the built-in was never an option.
>
> > 2) If you have a change to path access (which groups can access which
> > paths), doesn't this require a restart of Apache?
>
> I believe so. That has always been my pattern of action. I will test any
> changes in my dev zone then replicate that in production and bounce the
> server off-hours. Now that you've made me think about it I'll have to go
> test that again :-)

httpd -k graceful

or

apachectl graceful

is your friend...

Kevin R.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-04-18 17:23:50 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.