[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Apache - Subversion Auth using multiple Location statements

From: Sean Kuyk <sean.kuyk_at_pramerica.ie>
Date: Wed, 24 Aug 2011 16:18:46 +0100

Hi,

I'm running Apache 2.2.3 on RHEL 5.5. The server is used as a Subversion
server. Subversion is at version 1.6.16 and accessed using TortoiseSVN
1.6.15.

I use global read access to our repositories and authenticate repo updates
using Kerberos.

I'm now trying to limit both read and write access to a subdirectory
within a repository to a group of users. To do this I've added a second
Location statement to httpd.conf, which I was hoping would cause access to
the subdirectory in question to be authenticated.

However - Although I am prompted for a userid / password when the
subdirectory in question is accessed the Apache log files shows the
request as anonymous.

When using one Location statement and authenticating updates only all
works well and Apache logs show the userid when the repo in question is
accessed.

Bit at my wits end here - Have tried Allow / Deny / Satisfy / Require
combinations to no avail - Any help would be greatly appreciated.

My config files :

### ## #

Subversion.conf

<Location /svn>
DAV svn
SVNPathAuthz off
SVNParentPath /var/www/svn
<LimitExcept GET PROPFIND OPTIONS REPORT>
Include /etc/httpd/conf/My_krb5_auth.conf
</LimitExcept>
AuthzSVNAccessFile /etc/httpd/conf/SVNAccessFileAAA
</Location>

<Location /svn/REPO/SUBDIR> ( This is the one I want to limit )
DAV svn
SVNPathAuthz off
SVNParentPath /var/www/svn
<Limit All>
Include /etc/httpd/conf/My_krb5_auth.conf
</Limit>
AuthzSVNAccessFile /etc/httpd/conf/SVNAccessFileBBB
</Location>

### ## #

/etc/httpd/conf/SVNAccessFileAAA
[REPO:/]
* = r
USER111_at_MYDOMAIN.COM = rw

/etc/httpd/conf/SVNAccessFileBBB
[REPO:/]
USER222_at_MYDOMAIN.COM = rw

In addition to the above 2 SVNAccessFiles I have also tried the following
in a single file with one Location statement ( first one above ) :

[REPO:/]
* = r
USER111_at_MYDOMAIN.COM = rw

[REPO:/SUBDIR]
USER222_at_MYDOMAIN.COM = rw

### ## #

/etc/httpd/conf/My_krb5_auth.conf
AuthName "Active Directory Login"
AuthType Kerberos
Krb5Keytab /etc/httpd/conf/keytab
KrbAuthRealms MYREALM.COM
KrbVerifyKDC Off
KrbMethodNegotiate Off
KrbSaveCredentials Off
Require valid-user

It APPEARS to me that the fact that there are two Location statements
causes the issue ( ' empty ' userid in Apache log even though prompted for
userid / password ) in conjunction with the global read.

Please be gentle - Obviously no great master of Apache & tend to figure
things out as needed - but this one has me stumped.

Thanks !

Sean

picture
Received on 2011-08-24 17:41:00 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.