[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: user access

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Tue, 15 Nov 2011 17:18:47 +0000

> > From: "Cooke, Mark" <mark.cooke_at_siemens.com>
> > To: j s <jbluedelta_at_yahoo.com>; "users_at_subversion.apache.org"
> > <users_at_subversion.apache.org>
> > Sent: Tuesday, November 15, 2011 10:05 AM
> > Subject: RE: user access
> >
> > [We normally bottom-post on this list to make it easier to
> > read in order... See in-line below]
> >
> > > > -----Original Message-----
> > > > From: j s [mailto:jbluedelta_at_yahoo.com]
> > > > Sent: 15 November 2011 13:29
> > > > To: users_at_subversion.apache.org
> > > > Subject: user access
> > > >
> > > > Have svn running on windows/apache and currently dev team
> > > > accesses svn repo's using http and tortoisesvn
> > > >
> > > > They access the repos using their domain credentials set up
> > > > in apache config.
> > > >
> > > > we now have a group of temps that we want to create a new
> > > > repo for and that they should only access that repo either by
> > > > using uname/pwd or via domain access.
> > > >
> > > > current set up
> > > >
> > > > [server name]\c:\svnrepo
> > > > \product1 ---->[dev accesses this using domain\uname&pwd]
> > > > \product2 ---->[dev accesses this using domain\uname&pwd]
> > > > \product3 ---->[dev accesses this using domain\uname&pwd]
> > > > \temprepo ---->[dev accesses this using domain\uname&pwd ||
> > > > the temp lackies access it using their uname and pwd only for
> > > > this repo]
> > > >
> > > >
> > > > Is this set up possible? how would i go about it?
> > > >
> > > > am open to changing access type based on best practise
> > > >
> > > ________________________________
> > >
> > > From: "Cooke, Mark" <mark.cooke_at_siemens.com>
> > > To: j s <jbluedelta_at_yahoo.com>; "users_at_subversion.apache.org"
> > > <users_at_subversion.apache.org>
> > > Sent: Tuesday, November 15, 2011 8:51 AM
> > > Subject: RE: user access
> > >
> > > Take a read of the subversion book here:-
> > >
> > >
> > http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathba
> > sedauthz.html
> > >
> > > ~ mark c
> > >
> > > -----Original Message-----
> > > From: j s [mailto:jbluedelta_at_yahoo.com]
> > > Sent: 15 November 2011 14:47
> > > To: Cooke, Mark; users_at_subversion.apache.org
> > > Subject: Re: user access
> > >
> > > Mark,
> > > Looked at the link you provided.
> > >
> > > In my apache/conf/httpd.conf file i have the following
> >
> > ...is this in a <Location> or <Directory> etc section?
> >
> > > SSPIAuth On
> > > SSPIAuthoritative On
> > > SSPIDomain <domaincontroller>
> > > SSPIOmitDomain on
> > > SSPIUsernameCase lower
> > > SSPIPerRequestAuth on
> > > SSPIOfferBasic On
> > > AuthType SSPI
> > > AuthName "Subversion repositories"
> > > Require valid-user
> > > Require group "DOMAIN\companyname"
> >
> > ...using SSPI to _authenticate_ the user against Active
> > Directory OK...
> > NB: also provides basic _authorisation_ by rejecting
> non-group users.
> >
> > > DAV svn
> > > SVNListParentPath on
> > > SVNParentPath F:\SVN
> >
> > ...sets the path and enables subversion...
> >
> > > #SVNIndexXSLT "/svnindex.xsl"
> >
> > ...you would use this to provide a nice view of the
> > repository (TortoiseSVN has a section on this in their help file)...
> >
> > > #AuthUserFile passwd
> >
> > ...this is for basic http authentication, you can delete this...
> >
> > > #AuthzSVNAccessFile F:/SVN/auth.conf
> >
> > ...this is the line where you point svn to your file that
> > controls authorisation (who can access what) but it is
> commented out?
> >
> >
> > > Unable to translate the link to sections in the
> > > apache/conf/httpd.conf file.
> > >
> > > appreciate any useful tips.
> >
> > What exactly do you not understand? Is it the authz file
> > contents (described on the page linked above) or the apache config?
> >
> > ~ mark c
> >
> > -----Original Message-----
> > From: j s [mailto:jbluedelta_at_yahoo.com]
> > Sent: 15 November 2011 15:25
> > To: Cooke, Mark; users_at_subversion.apache.org
> > Subject: Re: user access
> >
> > Dear Mark,
> > As you correctly pointed out, the following lines are commented out
> > #AuthzSVNAccessFile F:/SVN/auth.conf
> > Require valid-user
> > Require group "DOMAIN\companyname"
> >
> > This was initially set up to allow all developers access to
> > all repositories with F:\svn
> >
> > From the article you sent me, i now have to un-comment the line
> > #AuthzSVNAccessFile F:/SVN/auth.conf
> >
> > and use a auth.conf file and define the users
> >
> > [/product1]
> > mydomain\user1=rw
> > mydomain\user2=rw
> > mydomain\user3=rw
> >
> > [/product1]
> > mydomain\user1=rw
> > mydomain\user2=rw
> > mydomain\user3=rw
> > user4=r -------->where would i define this user name and pwd
> > as this is not being authenticated against the domain. do not
> > want to create a domain user account for this user.
> >
> > would this be the correct set up?
>
> The three lines:-
>
> > SSPIAuthoritative On
> > Require valid-user
> > Require group "DOMAIN\companyname"
>
> ...mean that they have to have a domain account! If you want
> to offern non-domain accounts then you need to configure
> apache to offer this (start here:
> http://httpd.apache.org/docs/2.2/howto/auth.html), turn off
> SSPIAuthoritative and add appropriate `require` directives.
>
> For the authz file, you can define groups of users to make
> the permissions sections easier to read. If you have lots of
> developers this could get tedious though!
>
> By the way, you are using https aren't you? Otherwise your
> SSPI usernames & passwords are being sent across your network
> in plain text...
>
> ~ mark c
>
> -----Original Message-----
> From: j s [mailto:jbluedelta_at_yahoo.com]
> Sent: 15 November 2011 17:02
> To: Cooke, Mark
> Cc: users_at_subversion.apache.org
> Subject: Re: user access
>
> Dear Mark,
> Am using http only. The svn cannot be accessed outside of our
> network so the network admin is not too worried.
>
> If we had all of of our users within the domain and they
> could only use domain credentials, i set the following in
> apache\conf\httpd.conf
> <Location /SVN>
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth on
> SSPIOfferBasic On
> DAV svn
> SVNListParentPath on
> SVNParentPath F:\SVN
> #SVNIndexXSLT "/svnindex.xsl"
> AuthType SSPI
> AuthName "Subversion repositories"
> #AuthUserFile passwd
> AuthzSVNAccessFile F:/SVN/auth.conf
> Require valid-user
> Require group "DOMAIN\COMPANYNAME"
> </Location>
>
> This is the following from F:/SVN/auth.conf
> [/]
> * = r
>
> [/Products1]
> COMPANYNAME\jdoe = rw

Using `SSPIOmitDomain on` should mean that this should be just 'jdoe = rw'. You should be able to check the apache logs to see what usename apache is getting from the sspi module.

Also, I suspect you need a colon in the section names. The bit(s) before the colon is the repo path (i.e. the repo folder below the parent path), the bit after is any further path restrictions within the repo itself. So I think for you it should be:

[Products1:/]
jdoe = rw

> [/TempRepo]
> COMPANYNAME\tempUser1 = rw
>
> Then restarted apache and trying to commit file using
> TortoiseSVN into products1 repo and I get this
>
> access to
> '/SVN/Products1/!svn/act/fb32b0b8-6258-744c-b926-a22b7972916f'
> forbidden
>
> I can view the repo using IE and my credentials.

That's confusing!

> Is there a setting/config that I missed?

~ mark c
Received on 2011-11-15 18:19:24 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.