[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP, auth file and CN

From: Craig McQueen <ces-tigris_at_mcqueen.id.au>
Date: Tue, 31 Mar 2009 11:45:34 +0900

Jeremy Whitlock wrote:
>> [groups]
>> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
>> developers = "CN=Giulio Troccoli,OU=BGC,OU=Users,OU=London,OU=North"
>>
>> [svn-test:/]
>> @svn-admin = rw
>> @developers = rw
>>
>> Which would work no matter how I authenticae. However it's a PITA to write for all developers, testers, and other groups we are planning to authorize (or not).
>>
>
> I wrote a script that will take group definitions in a directory
> server (LDAP as you say it) and reproduce those groups within
> Subversion's authz file so you can do group-level permissioning:
> http://www.thoughtspark.org/node/26 It will not fix the casing issue,
> which isn't really Subversion's fault because some systems are case
> sensitive.
>
>
>> What I would like is to be able to use any case for my id (even gTroCcOli) if I want, then the LDAP module returned only the Common Name (Giulio Troccoli) and I can use that in the auth file
>>
>> [groups]
>> svn-admin = svn, svn_gt, svn_hp, svn_jn, svnsync
>> developers = Giulio Troccoli
>>
>> [svn-test:/]
>> @svn-admin = rw
>> @developers = rw
>>
>> Is it at all possible?
>>
>
> Yes. You tell Apache what object attribute to use for the user id. I
> know you said you didn't find a good LDAP article for Apache but it
> just so happens I wrote one recently that describes every pieces of
> this: http://blogs.open.collab.net/svn/2009/03/subversion-with-apache-and-ldap-updated.html
> Let me know if you are still having troubles.
>
>
Try this:
AuthLDAPRemoteUserAttribute userPrincipalName
which, if using Windows Active Directory, fills REMOTE_USER with e.g.:
cmcqueen_at_mycompany.com.au

Note that userPrincipalName must be listed as one of the attributes in
the AuthLDAPUrl line.

I think if you use that, then the case will be consistently whatever is
in the LDAP directory, rather than what the user logs in with.

Regards,
Craig McQueen

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1490139

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-03-31 14:13:53 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.