[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

problem with ACLs for subdirectories

From: Markus Werle <numerical.simulation_at_web.de>
Date: Wed, 12 Aug 2009 18:07:02 +0200

Hi!

We use Apache (2.2.12) with mod_dav_svn under XP and use an ActiveDirectory for
authentication. Most things work as they should, but we encounter a
problem with the following case: user John Smith should have
access only to http://server/svn/REPO/some/allowed/path, nothing more.

The relevant portions of the config:

# Work around authz and SVNListParentPath issue
RedirectMatch ^(/svn)$ $1/

<Location /svn>
        DAV svn
        SVNParentPath D:\path\to\svn_repositories
        SVNListParentPath on

        # TODO: clarify the usefulness of these directives here
        RedirectMatch 404 ^/(MSOffice/|_vti_bin/|_vti_inf.html$)
    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
    BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
    BrowserMatch "^WebDrive" redirect-carefully
    BrowserMatch "^WebDAVFS" redirect-carefully
        
        # Enable WebDAV automatic versioning
        SVNAutoversioning On

        # Repository Display Name
        SVNReposName "Some Name"

        # Do basic password authentication in the clear
        AuthType Basic

        # The name of the protected area or "realm"
        AuthName "Some Repository"

        # Make LDAP the authentication mechanism
        AuthBasicProvider ldap
        
        # Make LDAP authentication is final
        AuthzLDAPAuthoritative on

        # Active Directory requires an authenticating DN to access records
        AuthLDAPBindDN "CN=adm_username,OU=ServiceAccounts(non-elevated),OU=Operators,DC=EXAMPLE,DC=COM"
        
        # This is the password for the AuthLDAPBindDN user in Active Directory
        AuthLDAPBindPassword Password
        
        # The LDAP query URL, accessing global catalog
        AuthLDAPURL "ldap://adserver.example.com:3268/?sAMAccountName?sub" NONE

        Order deny,allow
        Deny from all
</Location>

# This here works fine! Grant access to group GROUPAME and to John Doe
<LocationMatch (?i)/svn/REPO>
        Satisfy Any
        Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
        Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>

# This here partly fails
<LocationMatch (?i)/svn/REPO/some/allowed/path>
        Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
        Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
        # additional access for John Smith who is not in Group GROUPNAME
        Require ldap-attribute distinguishedName="CN=Smith\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>

Our problem now is that John Smith can access /svn/REPO/some/allowed/path via web browser, but
not via TortoiseSVN repo browser. The error logs indicate there is a problem (401) for
special files/folders like /svn/REPO/!svn/vcc/default, PROPFIND and OPTIONS.

Any idea how to fix this?
I hoped to mend this by declaring directory listings to be allowed for the top level directory in
REPO, so I added

<LocationMatch (?i)^/svn/REPO/$>
        Satisfy Any
        Require ldap-group CN=GROUPNAME,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
        Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Acounts,DC=example,DC=com"
        Require ldap-attribute distinguishedName="CN=Smith\, John,OU=User Acounts,DC=example,DC=com"
</LocationMatch>

but this LocationMatch directive is never considered
(the other one wins allways as can be seen from the logs)
Any help appreciated.

regards,

Markus
______________________________________________________
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2382936

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-12 18:13:22 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.