[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP Group Configuration in AuthzSVNAccessFile

From: Aaron Turner <synfinatic_at_gmail.com>
Date: Wed, 31 Mar 2010 23:08:14 -0700

On Wed, Mar 31, 2010 at 2:38 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Wed, Mar 31, 2010 at 02:28:53PM -0700, Aaron Turner wrote:
>> On Wed, Mar 31, 2010 at 2:25 PM, Stefan Sperling <stsp_at_elego.de> wrote:
>> > On Wed, Mar 31, 2010 at 12:40:13PM -0700, Aaron Turner wrote:
>> >> On Wed, Mar 31, 2010 at 12:23 PM, Lee Kaufman
>> >> <lee.kaufman_at_transmetric.com> wrote:
>> >> > I have been set the task of setting up SVN and connecting Authentication and
>> >> > Authorization to our MS Active Directory system.  The SVN is now running on
>> >> > a Debian Linux server.  I have successfully set up Authenticated to
>> >> > authenticate users who have access to the SVN system based on a Security
>> >> > Group in our AD.
>> >> >
>> >> > The next task is where I am encountering the difficulty is in Authorizing
>> >> > individual users to read and write to the individual repositories.  From
>> >> > what I have seen I need I to do this I need a AuthzSVNAccessFile file.
>> >> > However I have not been able to find any documentation on how to accomplish
>> >> > this using AD groups.  Below is a simple example.
>> >>
>> >> Last time I checked, you can't do authorization via LDAP/AD.  Just
>> >> authentication.  Hence the lack of documentation on the subject.
>> >
>> > Various wrapper scripts exist which generate an authz rules file
>> > from data pulled from LDAP/AD directories. I agree that it would
>> > be nice to have built-in support for this in mod_authz_svn though.
>>
>> Do you have a link to such a script?  I've occasionally looked for one
>> and never found it... was planning on writing one someday, but no
>> point in reinventing the wheel.
>
> Google "svn authz ldap" says:
> http://www.thoughtspark.org/node/26

Ah, I was hoping to put path/repo information in the LDAP too. More
work, but I'm going to have to basically do the same thing for our
TACACS+ server.

> This patch to apache httpd also looks interesting:
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200912.mbox/%3C4B22CFBE.401@gmx.net%3E
> Though I didn't check what became of it.

Interesting... I might have to ping Christian to find out what happened. 

-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
Received on 2010-04-01 08:09:08 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.