Thank you for your help but I think you may have misunderstood my question.
In your previous email where you showed the content of your
AuthzSVNAccessFile file as. What I am looking for is to be able to is where
you say
[groups]
developers = Giulio Troccoli, Harpal Panesar
I want to be able to say
developers = CN=*****,OU=Security Groups,... A group I have defined in LDAP.
The groups and user permissions are already defined for other applications
and services and I do not want to have to manage them in LDAP and SVN. Know
of any way of doing that?
-----Original Message-----
From: Giulio Troccoli [mailto:Giulio.Troccoli_at_uk.linedata.com]
Sent: Thursday, April 01, 2010 9:16 AM
To: 'Lee Kaufman'
Cc: 'users_at_subversion.apache.org'
Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
> -----Original Message-----
> From: Lee Kaufman [mailto:lee.kaufman_at_transmetric.com]
> Sent: 01 April 2010 14:57
> To: Giulio Troccoli
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
>
> Right but how do I define that group as a LDAP group e.g.
> CN=hasReadWrite,DN=groups,DN=myDomain?
>
This is the full config (sensitive information has been replaced by
********)
##
## Define the alias of LDAP authentication
##
<AuthnProviderAlias ldap ldap-test>
AuthLDAPURL "ldap://*******/OU=Users,OU=London,OU=North
Europe,OU=Regional,DC=ad,DC=linedata,DC=com?SAMAccountName,name?sub?(objectC
lass=*)"
AuthLDAPBindDN "CN=SA_Subversion,OU=Service
Accounts,OU=Global,DC=ad,DC=linedata,DC=com"
AuthLDAPBindPassword ********
AuthzLDAPAuthoritative off
AuthLDAPRemoteUserAttribute name
</AuthnProviderAlias>
##
## Define the alias for SVN Admins authentication
##
<AuthnProviderAlias file svn-admins>
AuthUserFile /usr/local/apache2/etc/svn-admin.passwd
</AuthnProviderAlias>
<Location /svn-test>
DAV svn
SVNPath /data/TestRepositories/svn-test
# Name of the repository
AuthName "Subversion Testing Repository"
# What authentication to use
AuthType Basic
AuthBasicProvider ldap-test svn-admins file
# How to authenticate extra people
AuthUserFile /usr/local/apache2/etc/svn-test.passwd
# Always requier an authenticated user
#Allow from all
Order deny,allow
Require valid-user
# Access Control Policy
AuthzSVNAccessFile /usr/local/apache2/etc/svn-test.access
</Location>
> -----Original Message-----
> From: Giulio Troccoli [mailto:Giulio.Troccoli_at_uk.linedata.com]
> Sent: Thursday, April 01, 2010 2:42 AM
> To: 'Stefan Sperling'; 'Aaron Turner'
> Cc: 'Lee Kaufman'; users_at_subversion.apache.org
> Subject: RE: LDAP Group Configuration in AuthzSVNAccessFile
>
> > > > I have been set the task of setting up SVN and connecting
> > > > Authentication and Authorization to our MS Active
> > Directory system.
> > > > The SVN is now running on a Debian Linux server. I have
> > > > successfully set up Authenticated to authenticate users
> who have
> > > > access to the SVN system based on a Security Group in our AD.
> > > >
> > > > The next task is where I am encountering the difficulty is in
> > > > Authorizing individual users to read and write to the
> individual
> > > > repositories. From what I have seen I need I to do this
> > I need a AuthzSVNAccessFile file.
> > > > However I have not been able to find any documentation
> on how to
> > > > accomplish this using AD groups. Below is a simple example.
> > >
> > > Last time I checked, you can't do authorization via
> LDAP/AD. Just
> > > authentication. Hence the lack of documentation on the subject.
> >
> > Various wrapper scripts exist which generate an authz rules
> file from
> > data pulled from LDAP/AD directories. I agree that it would
> be nice to
> > have built-in support for this in mod_authz_svn though.
> >
>
> Few months ago I was experimenting with this and I found out
> that it can easily work.
>
> My Apache configuration for the repository contained
> "AuthzLDAPAuthoritative off" and "AuthLDAPRemoteUserAttribute
> name". I'm not sure you need AuthzLDAPAuthoritative but it's
> AuthLDAPRemoteUserAttribute that allowed me to write the
> access file like this
>
> [groups]
> developers = Giulio Troccoli, Harpal Panesar
>
> [svn-test:/]
> * = r
> svnsync = r
>
> [svn-test:/trunk]
> @developers = rw
>
> I'm pretty sure it worked but, as I said, it was few months
> ago so maybe I just saved this configuration for further
> investigation rather than for immediate use.
>
> Giulio
>
>
> Linedata Services (UK) Ltd
> Registered Office: Bishopsgate Court, 4-12 Norton Folgate,
> London, E1 6DB
> Registered in England and Wales No 3027851 VAT Reg No 778499447
>
>
>
> =
Received on 2010-04-01 16:37:40 CEST