[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP authz aliases with svn+ssh

From: Daniel Shahaf <danielsh_at_elego.de>
Date: Fri, 6 Jan 2012 18:27:35 +0200

I've not used LDAP in this way, but two things:

Owen Loy wrote on Thu, Jan 05, 2012 at 14:07:58 -0800:
> [aliases]
> svnaccess = CN=svngroup,CN=groups,DC=example,DC=com
>

I don't think you can use groups this way, since the file parser isn't
aware of the semantics of LDAP.

> With this setup, SSH is no problem (file permissions are correct, LDAP
> works fine, etc...), but SVN returns Not Authorized. To debug, I tried the
> following scenarios:
>
> authz with "local" user (works):
> --------
> [/]
> user1 = rw

Define "works". Do you commit as 'svn commit --username=user1' over
svn+ssh://?

> authz with LDAP alias for specific user (does not work):
> --------
> [aliases]
> svnaccess = CN=user1,CN=users,DC=example,DC=com
>
> [/]
> &svnaccess = rw
>
> Has anyone run this sort of setup successfully, or is able to determine
> what I'm doing wrong? I'm 99% sure the DNs are correct (in that they work
> for SSH purposes, and other non-related issues), but don't seem to work
> within the authz file, even though the docs suggest it should.

Try and find what username svn looks up in the file. It might be
mentioned in the --log-file.

(And if it isn't, you could create a dummy repository with "anon-access
= none", or an equivalent configuration using authz-db and the
$anonymous/$authenticated lhs tokens, to force svn to accept any
non-anonymous username.)
Received on 2012-01-06 17:29:24 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.