[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: AuthzSVNAccessFile AuthGroupFile

From: Daniel Widenfalk <Daniel.Widenfalk_at_iar.se>
Date: Wed, 18 Mar 2009 15:33:07 +0100

Martin Opitz wrote:
> Daniel,
>
> no, i do not have wildcards in the DAV.
> I do not even have groups in my DAV setup.
>
> I simply see that the require ldap-group Statement is not enforced as it
> should be.

We have almost the exact same set-up and it works here.
The two differences I see are that we authenticate
against an AD server (using LDAP) and that that we've got

    AuthLDAPBindDN "{subversion-user}"
    AuthLDAPBindPassword "{subversion-password}"

in the <Location> directory.

It took a while before I understood why my simple test
setup worked while our main repository didn't. The
difference was that the test setup did not use "* = r"
in the access file.

/Daniel

> Daniel Widenfalk schrieb:
>> Martin Opitz wrote:
>>> I'm trying to combine AuthzSVNAccessFile and (LDAP) AuthGroupFile,
>>> but it seems that the require-ldap group directive is overridden by
>>> AuthzSVNAccessFile.
>>>
>>> Here is my config:
>>> <Location /svn>
>>>
>>> DAV svn
>>>
>>> SVNParentPath /webserver/svn/repositories
>>> SVNListParentPath on
>>>
>>> AuthName "Subversion Repository"
>>>
>>> AuthzSVNAccessFile /webserver/svn/dav_svn.authz
>>> AuthzSVNAuthoritative off
>>>
>>> AuthType Basic
>>> AuthBasicProvider ldap
>>> AuthLDAPURL "ldap://oceanix majestix/dc=xyz,dc=de?uid" NONE
>>> AuthBasicAuthoritative on
>>> Require ldap-group cn=mm_cvs_std,cn=groups,dc=xyz,dc=de
>>>
>>> </Location>
>>
>> Do you have "* = r" in your access file? I've found that
>> having "* = r" in the access file bypasses the ldap-group
>> requirement. This allows all users that can authenticate
>> themselves against the ldap server to access the Subversion
>> repository.
>>
>> Regards
>> /Daniel Widenfalk

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1348794

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-03-18 15:39:58 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.