I don't know if I replied correctly the first time:
>First. LDAP (authentication) is only 1/2 of the big picture. You will
>still need configure authorization on the repo's themselves.
I have done that. Each repo have it's own configuration file. That is
this portion:
<Location /repository_name>
dav svn
SVNPath /disk01/home/repository_name
AuthType Basic
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative off
AuthName "CSC Subversion Repository"
Require valid-user
Require ldap-group CN=AD Goup Name,OU=Europe,OU=Groups,DC=fcg,DC=com
Require ldap-user pmoss
</Location>
>Second, Its hard to help troubleshoot when you don't provide useful
>information or a direct question. Was there something you needed help
>with? I didnt see any questions other than "Can someone lend a hand in
>figuring out what I have done wrong, or need to do?"
1. I need to be able to lock down each repository to allow only the users,
within the associated AD group, to have access to the repository.
2. At the same time I need to be able to allow my, single, user account
access to the repositories, without having to be added to every AD group.
I have not done that successfully.
Right now all users can access all repositories,
What I have tried so far:
I thought the "Require ldap-group" line locked access down to allow only
the users in the group access to the repo. That is not the case.
I tried adding the AuthnProviderAlias lines to each config file, but I get
an error because it only needs to be defined once. So, I added the lines
to the very first repository configuration file.
I tried removing the "Require valid-user" line; but that then doesn't
allow any access at all.
PATI MOSS
System Engineer Sr. Professional
CSC
575 E. Swedesford Road, Suite 300, Wayne, PA 19464
GIS | p: 610.989.7105 | f: 610.989.7100 | pmoss4_at_csc.com | www.csc.com
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
From:
opensrcguru <opensrcguru_at_gmail.com>
To:
Patricia A Moss/USA/CSC_at_CSC
Date:
11/09/2010 09:22 AM
Subject:
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 7:12 AM, Patricia A Moss <pmoss4_at_csc.com> wrote:
>
> I think this is the correct mailing list for this question.
>
> I am LDAP authenticating against 2 domain controllers; in 2 different
> locations.
> I thought that I was locking down each repository to allow only users,
> included in a specific AD group, to have read/write access to a
repository.
> I say supposedly because apparently the second part is not working.
Right
> now, anyone can access any repository. Can someone lend a hand in
figuring
> out what I have done wrong, or need to do?
> Here is what I have:
> I've configured my ldap aliases as follows:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnuser
> AuthLDAPBindPassword xxxxxxxxx
> AuthLDAPURL
> ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> (objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=fcgvuser,OU=Service
> Accounts,OU=Users,OU=Production,DC
> =vdc,DC=csc,DC=com"
> AuthLDAPBindPassword xxxxxxxxxxx
> AuthLDAPURL
ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> mAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
>
> Then in each, specific repositorry configuration file, I have the
following:
> <Location /FDCertifications>
> dav svn
> SVNPath /disk01/home/FDCertifications
> AuthType Basic
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> Require valid-user
> Require ldap-group CN=PRJ
FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> Require ldap-user pmoss
> </Location>
>
> I thought the "Require ldap-group" line locked access down to allow only
the
> users in the group access to the repo. That is not the case though.
> Everyone can access any repository; as long as they have an FCGNET
account.
>
> I tried adding the AuthnProviderAlias lines to each config file, but I
get
> an error because it only needs to be defined once.
> I tried removing the "Require valid-user" line; but that then doesn't
allow
> any access.
> Have any clues what I am doing wrong? Thanks.
>
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
First. LDAP (authentication) is only 1/2 of the big picture. You will
still need configure authorization on the repo's themselves.
These may be of assistance in configuring authorization (depending on
your needs):
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz
Second, Its hard to help troubleshoot when you don't provide useful
information or a direct question. Was there something you needed help
with? I didnt see any questions other than "Can someone lend a hand in
figuring out what I have done wrong, or need to do?"
kind regards,
OSG
Received on 2010-11-09 16:56:26 CET