[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Limiting permission's

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Wed, 17 Jun 2009 15:30:13 +0200

> -----Oorspronkelijk bericht-----
> Van: Ryan Schmidt [mailto:subversion-2009b_at_ryandesign.com]
> Verzonden: woensdag 17 juni 2009 14:49
> Aan: Johan Corveleyn
> CC: 'Patricia A Moss'; users_at_subversion.tigris.org
> Onderwerp: Re: Limiting permission's
>
>
> On Jun 17, 2009, at 07:44, Johan Corveleyn wrote:
>
> > Ah ok, now I start to understand what you want: you just want only
> > that FP-Development group to have access (reading and writing) to
> > the repository, and anyone else should have no access (no read, no
> > write). Then forget about the Limit and LimitExcept (those are for
> > making a difference between reading and writing, but you want to
> > restrict both reading and writing the same way, so ...).
> >
> > It's actually what Jason Malinowski suggested in the very first
> > post - just do it like this (require anyone who accesses /zorch to
> > be in the FP-Development group):
> > <Location /zorch>
> > DAV svn
> > SVNPath /disk01/home/zorch
> > AuthType Basic
> > AuthBasicProvider ldap
> > AuthzLDAPAuthoritative off
> > AuthName "Subversion Repository"
> > AuthLDAPBindDN CSCNET\svnaccount
> > AuthLDAPBindPassword svnpasswd
> > AuthLDAPURL ldap://servername:3268/DC=domainname,DC=com?
> > samAccountName?sub?(objectCategory=person)
> > Require ldap-group CN=PRJ FP-
> > Development,OU=U.S.,OU=Groups,DC=domainname,DC=com
> > </Location>
> >
> > About the quotes, those should be around the entire DN, not just
> > the value of the CN. But again, I'm not sure if it's really needed,
> > first try without them. If it doesn't work and you need to add
> > them, the line should look like this:
> > Require ldap-group "CN=PRJ FP-
> > Development,OU=U.S.,OU=Groups,DC=domainname,DC=com"
> >
> > Also, I'm not sure whether this matters, but in my httpd.conf the
> > "dav" is in uppercase, so "DAV svn".
>
> Does she still need "Require valid-user" or no?
>

No, I don't think so. In our httpd.conf we only have the "Require ldap-group", and it works as expected. I guess the "Require ldap-group" check simply implies that you must be a valid-user, since Apache (or mod_authzn_ldap or whathever) must know your username first (i.e. make you authenticate) before it can ask your group membership from the LDAP.

Johan

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2362805

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-17 15:31:10 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.