[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Limiting permission's

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Wed, 17 Jun 2009 14:44:28 +0200

> I apologize that it is taking me forever to understand this. I am
> getting confused and the more that I read the more that I am not sure.
> Currently everyone, with a domain account, has access to the
> repository. That is not what I want. I want only the members of the
> development group to have access to the repository.
> So, if I want just the development group to have write access to the
> repository (and no one else can read),I need to remove the Require
> valid-user from my location block as well as put quotation marks around
> my group name. My config file should, then, look like this:
> <Location /zorch>
> dav svn
> SVNPath /disk01/home/zorch
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "Subversion Repository"
> AuthLDAPBindDN CSCNET\svnaccount
> AuthLDAPBindPassword svnpasswd
> ldap://servername:3268/DC=domainname,DC=com?samAccountName?sub?(objectC
> ategory=person)
> Require ldap-group CN="PRJ FP-
> Development",OU=U.S.,OU=Groups,DC=domainname,DC=com
> </LimitExcept>
> </Location>
> Or is this still allowing everyone to read, but only the group members
> can write?

Ah ok, now I start to understand what you want: you just want only that FP-Development group to have access (reading and writing) to the repository, and anyone else should have no access (no read, no write). Then forget about the Limit and LimitExcept (those are for making a difference between reading and writing, but you want to restrict both reading and writing the same way, so ...).

It's actually what Jason Malinowski suggested in the very first post - just do it like this (require anyone who accesses /zorch to be in the FP-Development group):
<Location /zorch>
    DAV svn
    SVNPath /disk01/home/zorch
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthName "Subversion Repository"
    AuthLDAPBindDN CSCNET\svnaccount
    AuthLDAPBindPassword svnpasswd
    AuthLDAPURL ldap://servername:3268/DC=domainname,DC=com?samAccountName?sub?(objectCategory=person)
    Require ldap-group CN=PRJ FP-Development,OU=U.S.,OU=Groups,DC=domainname,DC=com

About the quotes, those should be around the entire DN, not just the value of the CN. But again, I'm not sure if it's really needed, first try without them. If it doesn't work and you need to add them, the line should look like this:
    Require ldap-group "CN=PRJ FP-Development,OU=U.S.,OU=Groups,DC=domainname,DC=com"

Also, I'm not sure whether this matters, but in my httpd.conf the "dav" is in uppercase, so "DAV svn".



To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-17 14:45:27 CEST

This is an archived mail posted to the Subversion Users mailing list.