[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn Farm

From: jehan procaccia <jehan.procaccia_at_it-sudparis.eu>
Date: Mon, 11 Oct 2010 19:46:40 +0200

  Le 10/10/2010 22:17, Nico Kadel-Garcia a écrit :
> On Sat, Oct 9, 2010 at 3:05 PM, jehan procaccia<jehanproc2_at_gmail.com> wrote:
>> Le 09/10/2010 20:40, Nico Kadel-Garcia a écrit :
>>> svn+ssh is the most secure, but it conflcts with your desire for LDAP
>>> access. The SSH keys normally live under a single user's account, the
>>> user who owns the repository, who hsould have a locked password. You
>>> see why this conflicts with LDAP based user information and logins?
>> No, I don't see why it conflicts ?
>> here's again my scenario,
>> 1) I set and manage all repositories with a unique local unix account (for
>> example username svn !), that account issues all "svn create" and owns the
>> repos filesystem directories
>> 2) enable the server to resolve ldapusers (pam& nss ldap), so that the
>> --tunnel-user=ldapusername option (see 3 below) works.
> Right, all LDAP based. So rar, so good, this can be woven into the
> HTTPS access or, conceivably, into the svnserve based access, although
> I've never seen it done.
No, I don't want to use only HTTPS, if it's served only by HTTPS then i
must use svn + https URLs, then I come into the problem of re-entering
ldap password at each svn command (back to the "rant" of this weekend
;-) ...) .
I want to stick with svn+ssh just because that will allow my clients to
use svn without re-auth at each commands.
As long as their key is in the unique svn manager authorized_key file,
users won't have to enter a password.
I need ldap (nss+pam) on the svn server though, to enable the system to
resolve ldapusername for the


option of command "svnserve" , so that authz do resolve username and
hence restrict acces to users allowed to a specific repository .
>> 3) then add ldap users public ssh keys to the ~.ssh/authorized_keys of that
>> unique svn manager account as in :
>> "command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...
>> The sysadmin (me ) will have to find a way to push ldapusers public keys to
>> that unique svn manager (script/CGI ...)
> This is an entirely distinct access technology. It contains not a
> single fleck of LDAP in it it, except perhaps to publish the user
> account information for the "svn manager account".
this is svn+ssh, in the svn manager authorized_key file I will have for
each of my ldapusernames a line:

"command="svnserve -t --tunnel-user=ldapusername"ssh_rsa KEYXXXXX...

which will issue a svn process on the server for that specific ldapuser
(owner of the private key pair of that public key) => hence allow authZ
acces to his repo .
>> Anything wrong in that scenario ?
> Wrong, no, just confused. Steps 1 and 2 have nothing to do with step 3
> and can be entirely discarded.
I think you misunderstood my scenario, here step 3 is the following
step 1 & 2 because I choosed svn+ssh !.

regards .

Ps: I'll have to test all these though .... just wanted to be reassured
that the scenario is not foolish ?
Received on 2010-10-11 19:47:35 CEST

This is an archived mail posted to the Subversion Users mailing list.