[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: locking down access to a repository

From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Tue, 9 Nov 2010 10:03:24 -0600

> But if I remove that line then no one can access the repository
 
Most likely because something else in the configuration isn't quite right... I would suggest setting things up and testing with one LDAP server at a time to verify the configuration of each before trying to combine them.
 
<Location /svn>
  AuthName "Subversion Server"
  AuthType Basic
  AuthBasicAuthoritative On
  AuthBasicProvider ldap
 
  # If ldap checks are used with non-ldap ("valid-user"), set this to off
  AuthzLDAPAuthoritative off
  AuthLDAPURL ldaps://gc.company.com:3269/DC=domain,DC=comp,DC=company,DC=com?sAMAccountName?sub?(objectCategory=user)
  AuthLDAPBindDN CN=ADMIN,OU=Users,DC=domain,DC=comp,DC=company,DC=com
  AuthLDAPBindPassword pa$$w0rd
</Location>

<Location /svn/bu/repo1>
     DAV svn
     SVNPath /Repositories/bu/repo1
     SVNPathAuthz off
     #1 The following users/groups will have read-write permission
     Require ldap-group CN=REPO1_USERS,OU=Groups,DC=domain,DC=comp,DC=company,DC=com
     Require ldap-group CN=Admins,OU=Groups,DC=domain,DC=comp,DC=company,DC=com
     Require ldap-user someid
 
     <Limit GET PROPFIND OPTIONS REPORT>
     #2 For any read-only operation, allow these additional users/groups
        Require valid-user
     </Limit>
</Location>
 

I know this works. After the "#1" line, add "Require" directives for all the groups/users that should read-write access. After the "#2" line, add any "Require" directives for any groups/users that should also have read-only access. In this example, "Require valid-user" is used to mean that any authenticated user has read-only access to the repository.
The first Location block must come first; repeat the second Location block as many times as necessary for each repository.
 

________________________________

From: Patricia A Moss [mailto:pmoss4_at_csc.com]
Sent: Tuesday, November 09, 2010 9:42 AM
To: kmradke_at_rockwellcollins.com
Cc: users_at_subversion.apache.org
Subject: Re: locking down access to a repository

>I don't think you want the "Require valid-user" line, since by default it uses
>ANY of the Require lines as matches. (And in your case valid-user matches all
>users so it doesn't care you are also specifying a group and an user.)

But if I remove that line then no one can access the repository.

PATI MOSS
System Engineer Sr. Professional
CSC

From: kmradke_at_rockwellcollins.com
To: Patricia A Moss/USA/CSC_at_CSC
Cc: users_at_subversion.apache.org
Date: 11/09/2010 10:38 AM
Subject: Re: locking down access to a repository

________________________________

Stefan Sperling <stsp_at_elego.de> wrote on 11/09/2010 08:34:37 AM:
> > I've configured my ldap aliases as follows:
> > <AuthnProviderAlias ldap ldap-FCGNET>
> > AuthLDAPBindDN FCGNET\svnuser
> > AuthLDAPBindPassword xxxxxxxxx
> > AuthLDAPURL
> > ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?
> > (objectCategory=person)
> > </AuthnProviderAlias>
> > <AuthnProviderAlias ldap ldap-VIET>
> > AuthLDAPBindDN "CN=fcgvuser,OU=Service
> > Accounts,OU=Users,OU=Production,DC
> > =vdc,DC=csc,DC=com"
> > AuthLDAPBindPassword xxxxxxxxxxx
> > AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?sa
> > mAccountName?sub?(objectCategory=person)
> > </AuthnProviderAlias>
> >
> > Then in each, specific repositorry configuration file, I have the
> > following:
> > <Location /FDCertifications>
> > dav svn
> > SVNPath /disk01/home/FDCertifications
> > AuthType Basic
> > AuthBasicProvider ldap-FCGNET ldap-VIET
> > AuthzLDAPAuthoritative off
> > AuthName "CSC Subversion Repository"
> > Require valid-user
> > Require ldap-group CN=PRJ
> > FDCertifications,OU=Europe,OU=Groups,DC=fcg,DC=com
> > Require ldap-user pmoss
> > </Location>

I don't think you want the "Require valid-user" line, since by default it uses
ANY of the Require lines as matches. (And in your case valid-user matches all
users so it doesn't care you are also specifying a group and an user.)

Kevin R.

-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect_at_principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.
Received on 2010-11-09 17:04:02 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.