LDAP, auth file and CN
From: Giulio T <giulio.troccoli_at_uk.linedata.com>
Date: Mon, 30 Mar 2009 15:00:22 +0100
Hello everybody,
Let me start saying that I haven't seen anything in the FAQ for my problem and the search of the mailing list I did returned a lot of post regarding how to set up LDAP, but those didn't help. I think there was one post that was exactly about what I am trying to achive but I think it said that it wasn't possible. So I want to check whether that's really/still the case.
I have successfully set up Apache (2.0) to authenticate developers. My problem now is authorization.
I was able to get two type "userid" from Apache: the Windows user id (something like gtroccoli) or the full string from LDAP (something like Author: CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North). This is "swtiched" by using the AuthLDAPRemoteUsersIsDN directive in Apache.
My problem is now how to write the authorization file.
If I set the directive off, then I can write the auth file like the following
[groups]
[svn-test:/]
The problem with this approach is that I can still authenticate using Gtroccoli but that will not authorize me (becuase of the case).
If I set the directive on, then the auth file will loook like (not 100% sure where to to put the quotes though)
[groups]
[svn-test:/]
Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).
What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file
[groups]
[svn-test:/]
Is it at all possible?
My Apache conf file (the part for subversion) is
<Location /svn-test>
SVNReposName "Subversion Testing Repository"
# Authentication
# Access Control Policy
# How to authenticate a user
# Always requier an authenticated user
The AuthAuthoritative directive is there so I can also use a normal password file for users (like Subversion administrators) that are not in our company AD.
Giulio
Linedata Services (UK) Ltd
------------------------------------------------------
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.