[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: detecting AuthzSVNAccessFile errors

From: shantanu vibhore <shantanu.vibhore_at_gmail.com>
Date: Sun, 7 Jun 2009 18:17:06 +0530

Hello Todd,

Maybe you are looking for this.

http://svn.collab.net/repos/svn/trunk/tools/server-side/svnauthz-validate.c

Regards,
Shantanu

On Fri, May 29, 2009 at 11:56 PM, Todd C. Gleason <tgleason_at_impac.com>wrote:

> I recently encountered a problem where a badly formatted
> AuthzSVNAccessFile went undetected and we struggled to figure out why some
> users could not commit to the repository.
>
>
>
> The server is a Windows 2003 Server running Apache 2.2 and Subversion
> 1.5.2. To install an updated configuration I basically do this:
>
> - Run httpd –t to test httpd-ssl.conf.
> - Run httpd –n “*[service name]*” –k restart to do a graceful restart
> - Run net start | find /I “*[service name]*” > NUL and check ERRORLEVELto determine whether the server is started.
> - Run an svn ls command to verify the AuthZSVNAccessFile.
> - On any error, roll back the configuration, restart the server again,
> and re-test to determine whether the roll back succeeded.
>
>
>
> With some AuthzSVNAccessFile parsing errors, the svn ls command will fail
> after the restart. However, in one case I just found out about, the server
> appears to restart, and svn ls runs, but the new auth file doesn’t really
> seem to be active, because any subsequent changes don’t seem to be
> recognized.
>
>
>
> The parsing error we had was in the [groups] section. Our ordinary format
> would look like this:
>
>
>
> [groups]
>
> GroupName = one, two, three, four
>
>
>
> The bad edit left it like this:
>
>
>
> [groups]
>
> GroupName = one, two twob, three, four
>
>
>
> Note the missing comma.
>
>
>
> I realize I can install a command-line grep to detect this specific case
> if nothing else, but is there a better way to detect this problem and maybe
> other syntax errors at the same time? I’d really like something like httpd
> –t for the AuthzSVNAccessFile but I haven’t heard of such a thing. I also
> scanned all the Apache logs and found nothing helpful.
>
>
>
> Some more configuration information:
>
> - We have users authenticating from multiple domains
> - SSPIOmitDomain On
> - For some reason we had to specify an SSPIDomain and doing this with
> one of our domains would let it work with the other, but the reverse was not
> true. Users are specified in the auth file without domains (though
> initially I tried, and failed, to get it to work including domains).
> - We use an SVNParentPath to allow multiple repositories under a single
> <Location>
> - SSPIOfferBasic On
> - SSPIPerRequestAuth Off
> - SSPIUsernameCase lower
> - We use <LimitExcept GET PROPFIND OPTIONS REPORT> containing: Require
> Group *[Domain\\GroupName]*
> - The auth file has [/] * = r for now, so as long as a user is in the
> above-named group, they should be able to read everything.
>
>
>
> --Todd
>
>
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2360094

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-07 14:48:10 CEST

This is an archived mail posted to the Subversion Users mailing list.