Seems you are using the wrong syntax for the authz file, you log on with the sAMAccountName, so this would be the users to authorize :
Here is an example of how I did it, note that I have founf it nescessary to explicitly deny access to all users not in the group ( the ~ construct), as we will not even allow read access for users not in the group. :
[/]
csvn = rw
@admin = rw
[groups]
admin = z1208fc,z5131ph,et4818,et2889,z1920oj,et4262
mfe = et1038
pmd=jn00011,z1416ge
[test:/]
* = r
[test:/pmd]
@pmd = rw
~pmd =
[test:/mfe]
@mfe = rw
~mfe =
Geir
________________________________
From: Victor Gong [mailto:Victor_Gong_at_phoenix.com]
Sent: 17. september 2008 09:29
To: users_at_subversion.tigris.org
Subject: a question about the access file syntax: username aliases
Hi, Subversion developers
I am now using subversion 1.5 + Http 2.2.9 with LDAP authentication, it works fine.
But now, I want to do per-directory access control with LDAP authentication which someone can read and write in the special directories, others can only read them. and it cannot work with my setting: http.conf + authz.
I notice there is a file syntax: aliases in authz file, but I wandered whether my setting is correct.
Could you give me some help?
Http.conf:
<Location /H>
DAV svn
SVNParentPath /svn
SVNListParentPath on
# LDAP Authentication & Authorization is final; do not check other databases
# AuthLDAPAuthoritative on
# Do basic password authentication in the clear
AuthType Basic
AuthBasicProvider ldap
# The name of the protected area or "realm"
AuthName "UEFI Subversion Repository"
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN "CN=LDAP_RO,CN=USERS,DC=PHOENIX,DC=COM"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword H3r3Buggy
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL "ldap://134.122.1.67:389/ou=phoenix,dc=phoenix,dc=com?sAMAccountName?sub?(objectClass=*)"
# Require authentication for this Location
Require valid-user
AuthzSVNAccessFile /usr/local/apache2/conf/authz
</Location>
authz:
[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average
Victor_Gong = CN=Victor Gong,OU=Nanjing,OU=China,OU=Personnel,OU=People,OU=Phoenix,DC=phoenix,DC=com
Received on 2008-09-19 17:51:35 CEST