[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: locking down access to a repository

From: Stefan Sperling <stsp_at_elego.de>
Date: Tue, 9 Nov 2010 15:34:37 +0100

On Tue, Nov 09, 2010 at 08:12:44AM -0500, Patricia A Moss wrote:
> I think this is the correct mailing list for this question.
> I am LDAP authenticating against 2 domain controllers; in 2 different
> locations.
> I thought that I was locking down each repository to allow only users,
> included in a specific AD group, to have read/write access to a
> repository.
> I say supposedly because apparently the second part is not working. Right
> now, anyone can access any repository. Can someone lend a hand in figuring
> out what I have done wrong, or need to do?
> Here is what I have:
> I've configured my ldap aliases as follows:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnuser
> AuthLDAPBindPassword xxxxxxxxx
> ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> (objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=fcgvuser,OU=Service
> Accounts,OU=Users,OU=Production,DC
> =vdc,DC=csc,DC=com"
> AuthLDAPBindPassword xxxxxxxxxxx
> AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> mAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> Then in each, specific repositorry configuration file, I have the
> following:
> <Location /FDCertifications>
> dav svn
> SVNPath /disk01/home/FDCertifications
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=PRJ
> FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
> I thought the "Require ldap-group" line locked access down to allow only
> the users in the group access to the repo. That is not the case though.
> Everyone can access any repository; as long as they have an FCGNET
> account.
> I tried adding the AuthnProviderAlias lines to each config file, but I get
> an error because it only needs to be defined once.
> I tried removing the "Require valid-user" line; but that then doesn't
> allow any access.
> Have any clues what I am doing wrong? Thanks.

I don't know a lot about apache auth configuration.

But I think you want to configure LDAP auth separately for each repository
location block. Within each block, use an LDAP URL that matches the
specific group which should have access to this repository.

Unfortunately, I cannot provide any example configuration files.
But I've seen a configuration that worked as described above within
a large enterprise just a couple weeks ago. So I know that it should
work, given the right configuration.

Hope this helps, and good luck,
Received on 2010-11-09 15:35:23 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.