[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Subversion + Apache + LDAP groups and permissions

From: Rodrigo Montenegro <montenegro.r_at_gmail.com>
Date: Thu, 17 Mar 2011 22:11:05 -0300

Hey guys,

I have a big problem here.

I was planning to use this configration below in my subversion + apache
server. I use a LDAP server to authenticate, and my intention was to use
LDAP groups do stabilish authorization to some project folders. As you can
see below, I wish to make the folder secret (or path) in trunk, only
readable and writable by a managers group in LDAP, and in the rest of the
project, readers could only read, and writers could read and write. The
problem is if I checkout trunk as a reader or writer user, the folder secret
is coming as well. Is there anything I could fix to make it work as I wish?
Sorry for my poor english.

<Location /svn/repo>
    DAV svn
        SVNParentPath /srv/svn/repo
        SVNListParentPath on
        SVNIndexXSLT "/svnindex.xsl"

    AuthType Basic
    AuthName "Subversion Repo"
    AuthBasicProvider ldap
    AuthLDAPUrl ldap://someldapserver/dc=myorg,dc=org

    AuthLDAPBindDN "uid=manager,ou=services,ou=corp,dc=myorg,dc=org"
    AuthLDAPBindPassword "password"
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute uniqueMember
    AuthLDAPGroupAttributeIsDN on

    <LimitExcept GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=writers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </LimitExcept>

    <Limit GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=writers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
        require ldap-group cn=readers,ou=services,ou=corp,dc=myorg,dc=org
    </Limit>
</Location>

<Location /svn/repo/trunk/secret>
    AuthType Basic
    AuthName "Subversion Repo"
    AuthBasicProvider ldap
    AuthLDAPUrl ldap://someldapserver/dc=myorg,dc=org

    AuthLDAPBindDN "uid=manager,ou=services,ou=corp,dc=myorg,dc=org"
    AuthLDAPBindPassword "password"
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute uniqueMember
    AuthLDAPGroupAttributeIsDN on

    <LimitExcept GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </LimitExcept>

    <Limit GET PROPFIND OPTIONS REPORT>
        require ldap-group cn=managers,ou=services,ou=corp,dc=myorg,dc=org
    </Limit>
</Location>
____________________________________________
Rodrigo Montenegro de Oliveira
Received on 2011-03-18 02:11:58 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.