Hi!
We use Apache (2.2.12) with mod_dav_svn under XP and use an ActiveDirectory for
authentication. Most things work as they should, but we encounter a
problem with the following case: user John Smith should have
access only to http://server/svn/REPO/some/allowed/path, nothing more.
The relevant portions of the config:
# Work around authz and SVNListParentPath issue
RedirectMatch ^(/svn)$ $1/
<Location /svn>
DAV svn
SVNParentPath D:\path\to\svn_repositories
SVNListParentPath on
# TODO: clarify the usefulness of these directives here
RedirectMatch 404 ^/(MSOffice/|_vti_bin/|_vti_inf.html$)
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS" redirect-carefully
# Enable WebDAV automatic versioning
SVNAutoversioning On
# Repository Display Name
SVNReposName "Some Name"
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "Some Repository"
# Make LDAP the authentication mechanism
AuthBasicProvider ldap
# Make LDAP authentication is final
AuthzLDAPAuthoritative on
# Active Directory requires an authenticating DN to access records
AuthLDAPBindDN "CN=adm_username,OU=ServiceAccounts(non-elevated),OU=Operators,DC=EXAMPLE,DC=COM"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword Password
# The LDAP query URL, accessing global catalog
AuthLDAPURL "ldap://adserver.example.com:3268/?sAMAccountName?sub" NONE
Order deny,allow
Deny from all
</Location>
# This here works fine! Grant access to group GROUPAME and to John Doe
<LocationMatch (?i)/svn/REPO>
Satisfy Any
Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>
# This here partly fails
<LocationMatch (?i)/svn/REPO/some/allowed/path>
Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
# additional access for John Smith who is not in Group GROUPNAME
Require ldap-attribute distinguishedName="CN=Smith\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>
Our problem now is that John Smith can access /svn/REPO/some/allowed/path via web browser, but
not via TortoiseSVN repo browser. The error logs indicate there is a problem (401) for
special files/folders like /svn/REPO/!svn/vcc/default, PROPFIND and OPTIONS.
Any idea how to fix this?
I hoped to mend this by declaring directory listings to be allowed for the top level directory in
REPO, so I added
<LocationMatch (?i)^/svn/REPO/$>
Satisfy Any
Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
Require ldap-attribute distinguishedName="CN=Smith\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>
but this LocationMatch directive is never considered
(the other one wins allways as can be seen from the logs)
Any help appreciated.
regards,
Markus
______________________________________________________
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2382936
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-12 18:13:22 CEST