[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN group authentication to AD

From: Dale Bohl <DBohl_at_masoncompaniesinc.com>
Date: Mon, 15 Nov 2010 07:39:59 -0600

Hello,

 

    I've been banging my head on this one for 2 days now.

I've googled this issue but it appears not many admins are using this
and/or

it could possibly be a bug in the apache module.

 

Config

------

Red Hat Enterprise Linux Server release 5.5 (Tikanga)

Server version: Apache/2.2.3

svn, version 1.6.12 (r955767)

Windows 2008 R2

 

   It appears that we cannot use Active Directory Permissions Groups

with the s-svn server for Subversion repository authentication and
authorization

but yet AD Role groups work just fine.

 

subversion.conf config for "puppet" repository

------------------------------------------------

#================puppet repo===================================

<Location /puppet>

   DAV svn

   SVNPath /repos/puppet

   AuthPAM_Enabled on

   AuthType Basic

   AuthName "Subversion Authentication to AD"

 

   # Limit R/W access to certain role groups

   <LimitExcept GET PROPFIND OPTIONS REPORT>

# Require group SVN-Puppet-ReadWrite-P

      Require group IT-InfrastructureTeam-SystemAdministrator-R

   </LimitExcept>

 

   # Limit R/O access to certain role group

   <Limit GET PROPFIND OPTIONS REPORT>

# Require group SVN-Puppet-ReadWrite-P

      Require group IT-InfrastructureTeam-SystemAdministrator-R

   </Limit>

</Location>

 

The interesting thing is that AD Role Groups appear to work fine within

the Location directive config above which shows the role group for which

I'm a member.

 

If the above config is changed to use the Permissions group shown
commented

out, authentication doesn't work and when that happens I'm seeing the
following

error in ssl_error_log.

 

[Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in
required group(s).

 

So, even though the following User > Role > Permissions > Resource
association

exists, the group with '-P' in it above won't allow dpb to authenticate
for repo access.

 

dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and

IT-InfrastructureTeam-SystemAdministrator-R is a member of
SVN-Puppet-ReadWrite-P AD

group

 

Any help would be greatly appreciated.

 

--------

Dale Bohl
Sr. Systems Administrator
Mason Companies, Inc.
dbohl_at_masoncompaniesinc.com <mailto:dbohl_at_masoncompaniesinc.com>
(715)-720-4382

 
Received on 2010-11-15 14:42:09 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.