[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: LDAP Group Configuration in AuthzSVNAccessFile

From: Lee Kaufman <lee.kaufman_at_transmetric.com>
Date: Thu, 1 Apr 2010 09:39:40 -0500

Thank you for your help but I think you may have misunderstood my question.
In your previous email where you showed the content of your
AuthzSVNAccessFile file as. What I am looking for is to be able to is where
you say

[groups]
developers = Giulio Troccoli, Harpal Panesar

I want to be able to say
developers = CN=*****,OU=Security Groups,... A group I have defined in LDAP.

The groups and user permissions are already defined for other applications
and services and I do not want to have to manage them in LDAP and SVN. Know
of any way of doing that?

-----Original Message-----
From: Giulio Troccoli [mailto:Giulio.Troccoli_at_uk.linedata.com]
Sent: Thursday, April 01, 2010 9:16 AM
To: 'Lee Kaufman'
Cc: 'users_at_subversion.apache.org'
Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile

> -----Original Message-----
> From: Lee Kaufman [mailto:lee.kaufman_at_transmetric.com]
> Sent: 01 April 2010 14:57
> To: Giulio Troccoli
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
>
> Right but how do I define that group as a LDAP group e.g.
> CN=hasReadWrite,DN=groups,DN=myDomain?
>
This is the full config (sensitive information has been replaced by
********)

##
## Define the alias of LDAP authentication
##
<AuthnProviderAlias ldap ldap-test>
   AuthLDAPURL "ldap://*******/OU=Users,OU=London,OU=North
Europe,OU=Regional,DC=ad,DC=linedata,DC=com?SAMAccountName,name?sub?(objectC
lass=*)"
   AuthLDAPBindDN "CN=SA_Subversion,OU=Service
Accounts,OU=Global,DC=ad,DC=linedata,DC=com"
   AuthLDAPBindPassword ********
   AuthzLDAPAuthoritative off
   AuthLDAPRemoteUserAttribute name
</AuthnProviderAlias>

##
## Define the alias for SVN Admins authentication
##
<AuthnProviderAlias file svn-admins>
   AuthUserFile /usr/local/apache2/etc/svn-admin.passwd
</AuthnProviderAlias>

<Location /svn-test>
   DAV svn
   SVNPath /data/TestRepositories/svn-test

   # Name of the repository
   AuthName "Subversion Testing Repository"

   # What authentication to use
   AuthType Basic
   AuthBasicProvider ldap-test svn-admins file

   # How to authenticate extra people
   AuthUserFile /usr/local/apache2/etc/svn-test.passwd

   # Always requier an authenticated user
   #Allow from all
   Order deny,allow
   Require valid-user

   # Access Control Policy
   AuthzSVNAccessFile /usr/local/apache2/etc/svn-test.access
</Location>

> -----Original Message-----
> From: Giulio Troccoli [mailto:Giulio.Troccoli_at_uk.linedata.com]
> Sent: Thursday, April 01, 2010 2:42 AM
> To: 'Stefan Sperling'; 'Aaron Turner'
> Cc: 'Lee Kaufman'; users_at_subversion.apache.org
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
>
> > > > I have been set the task of setting up SVN and connecting
> > > > Authentication and Authorization to our MS Active
> > Directory system.
> > > > The SVN is now running on a Debian Linux server. I have
> > > > successfully set up Authenticated to authenticate users
> who have
> > > > access to the SVN system based on a Security Group in our AD.
> > > >
> > > > The next task is where I am encountering the difficulty is in
> > > > Authorizing individual users to read and write to the
> individual
> > > > repositories. From what I have seen I need I to do this
> > I need a AuthzSVNAccessFile file.
> > > > However I have not been able to find any documentation
> on how to
> > > > accomplish this using AD groups. Below is a simple example.
> > >
> > > Last time I checked, you can't do authorization via
> LDAP/AD. Just
> > > authentication. Hence the lack of documentation on the subject.
> >
> > Various wrapper scripts exist which generate an authz rules
> file from
> > data pulled from LDAP/AD directories. I agree that it would
> be nice to
> > have built-in support for this in mod_authz_svn though.
> >
>
> Few months ago I was experimenting with this and I found out
> that it can easily work.
>
> My Apache configuration for the repository contained
> "AuthzLDAPAuthoritative off" and "AuthLDAPRemoteUserAttribute
> name". I'm not sure you need AuthzLDAPAuthoritative but it's
> AuthLDAPRemoteUserAttribute that allowed me to write the
> access file like this
>
> [groups]
> developers = Giulio Troccoli, Harpal Panesar
>
> [svn-test:/]
> * = r
> svnsync = r
>
> [svn-test:/trunk]
> @developers = rw
>
> I'm pretty sure it worked but, as I said, it was few months
> ago so maybe I just saved this configuration for further
> investigation rather than for immediate use.
>
> Giulio
>
>
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate,
> London, E1 6DB
> Registered in England and Wales No 3027851 VAT Reg No 778499447
>
>
>
> =
Received on 2010-04-01 16:37:40 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.