[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

LDAP, auth file and CN

From: Giulio T <giulio.troccoli_at_uk.linedata.com>
Date: Mon, 30 Mar 2009 15:00:22 +0100

Hello everybody,

Let me start saying that I haven't seen anything in the FAQ for my problem and the search of the mailing list I did returned a lot of post regarding how to set up LDAP, but those didn't help. I think there was one post that was exactly about what I am trying to achive but I think it said that it wasn't possible. So I want to check whether that's really/still the case.

I have successfully set up Apache (2.0) to authenticate developers. My problem now is authorization.

I was able to get two type "userid" from Apache: the Windows user id (something like gtroccoli) or the full string from LDAP (something like Author: CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North). This is "swtiched" by using the AuthLDAPRemoteUsersIsDN directive in Apache.

My problem is now how to write the authorization file.

If I set the directive off, then I can write the auth file like the following

[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = gtroccoli

[svn-test:/]
@svn-admin = rw
@developers = rw

The problem with this approach is that I can still authenticate using Gtroccoli but that will not authorize me (becuase of the case).

If I set the directive on, then the auth file will loook like (not 100% sure where to to put the quotes though)

[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = "CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North"

[svn-test:/]
@svn-admin = rw
@developers = rw

Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).

What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file

[groups]
svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
developers = Giulio Troccoli

[svn-test:/]
@svn-admin = rw
@developers = rw

Is it at all possible?

My Apache conf file (the part for subversion) is

<Location /svn-test>
        DAV svn
        SVNPath /data/TestRepositories/svn-test

        SVNReposName "Subversion Testing Repository"

        # Authentication
        AuthType Basic
        AuthName "Subversion Testing Repository"
        AuthLDAPURL "ldap://******:389/*****?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPBindDN "****"
        AuthLDAPBindPassword *****
        AuthLDAPRemoteUserIsDN on

        # Access Control Policy
        AuthAuthoritative Off
        AuthUserFile /etc/httpd/etc/svn-test.passwd
        AuthzSVNAccessFile /etc/httpd/etc/svn-test.access

        # How to authenticate a user

        # Always requier an authenticated user
        Order deny,allow
        Require valid-user
</Location>

The AuthAuthoritative directive is there so I can also use a normal password file for users (like Subversion administrators) that are not in our company AD.

Giulio

Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1482281

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-03-30 16:04:45 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.