I don't know if I replied correctly the first time:
>First. LDAP (authentication) is only 1/2 of the big picture. You will
>still need configure authorization on the repo's themselves.
I have done that. Each repo have it's own configuration file. That is
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthName "CSC Subversion Repository"
Require ldap-group CN=AD Goup Name,OU=Europe,OU=Groups,DC=fcg,DC=com
Require ldap-user pmoss
>Second, Its hard to help troubleshoot when you don't provide useful
>information or a direct question. Was there something you needed help
>with? I didnt see any questions other than "Can someone lend a hand in
>figuring out what I have done wrong, or need to do?"
1. I need to be able to lock down each repository to allow only the users,
within the associated AD group, to have access to the repository.
2. At the same time I need to be able to allow my, single, user account
access to the repositories, without having to be added to every AD group.
I have not done that successfully.
Right now all users can access all repositories,
What I have tried so far:
I thought the "Require ldap-group" line locked access down to allow only
the users in the group access to the repo. That is not the case.
I tried adding the AuthnProviderAlias lines to each config file, but I get
an error because it only needs to be defined once. So, I added the lines
to the very first repository configuration file.
I tried removing the "Require valid-user" line; but that then doesn't
allow any access at all.
System Engineer Sr. Professional
575 E. Swedesford Road, Suite 300, Wayne, PA 19464
GIS | p: 610.989.7105 | f: 610.989.7100 | pmoss4_at_csc.com | www.csc.com
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
Patricia A Moss/USA/CSC_at_CSC
11/09/2010 09:22 AM
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss <pmoss4_at_csc.com> wrote:
> I think this is the correct mailing list for this question.
> I am LDAP authenticating against 2 domain controllers; in 2 different
> I thought that I was locking down each repository to allow only users,
> included in a specific AD group, to have read/write access to a
> I say supposedly because apparently the second part is not working.
> now, anyone can access any repository. Can someone lend a hand in
> out what I have done wrong, or need to do?
> Here is what I have:
> I've configured my ldap aliases as follows:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnuser
> AuthLDAPBindPassword xxxxxxxxx
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=fcgvuser,OU=Service
> AuthLDAPBindPassword xxxxxxxxxxx
> Then in each, specific repositorry configuration file, I have the
> <Location /FDCertifications>
> dav svn
> SVNPath /disk01/home/FDCertifications
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=PRJ
> Require ldap-user pmoss
> I thought the "Require ldap-group" line locked access down to allow only
> users in the group access to the repo. That is not the case though.
> Everyone can access any repository; as long as they have an FCGNET
> I tried adding the AuthnProviderAlias lines to each config file, but I
> an error because it only needs to be defined once.
> I tried removing the "Require valid-user" line; but that then doesn't
> any access.
> Have any clues what I am doing wrong? Thanks.
> PATI MOSS
> System Engineer Sr. Professional
First. LDAP (authentication) is only 1/2 of the big picture. You will
still need configure authorization on the repo's themselves.
These may be of assistance in configuring authorization (depending on
Second, Its hard to help troubleshoot when you don't provide useful
information or a direct question. Was there something you needed help
with? I didnt see any questions other than "Can someone lend a hand in
figuring out what I have done wrong, or need to do?"
Received on 2010-11-09 16:56:26 CET