[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Path based authorization using LDAP groups

From: Logica Ex Machina <lexm_at_pobox.com>
Date: Tue, 17 Sep 2013 12:11:42 -0400

On 13-09-17 11:26 AM, Tati, Aslesh : Barclaycard US wrote:
> I’m trying to setup a path based authorization using different LDAP groups.
>
> Developers should be able to see all repositories and commit to all
> repos (the corresponding LDAP group is subversion_developers)
>
> Business users should be able to see all repositories but only commit to
> specific assigned repo (corresponding LDAP group is subversion_bususers)
>
> There is another LDAP group which is subversion_readonly which is
> intended to give read only access to all repos.
>
> My httpd.conf looks something like this:
>
> RedirectMatch ^(/svn)$ $1/
>
> <Location /repos>
>
> DAV svn
>
> SVNParentPath "/local/data/svn/svntestrepos"
>
> SVNReposName "CollabNet Subversion Repository"
>
> BrowserMatch "^SVN/1.[456]" denyclient
>
> order allow,deny
>
> allow from all
>
> deny from env=denyclient
>
> SVNListParentPath On
>
> Allow from all
>
> AuthType Basic
>
> AuthName "CollabNet Subversion Repository"
>
> AuthBasicProvider ldap
>
> AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
> AuthLDAPBindDN "svn_user"
>
> AuthLDAPBindPassword "password"
>
> <LimitExcept OPTIONS GET PROPFIND REPORT>
>
> require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
> </LimitExcept>
>
> require ldap-group CN= subversion_developers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> <Location /repos/business>
>
> DAV svn
>
> SVNPath "/local/data/svn/svntestrepos/business"
>
> SVNReposName "CollabNet Business users Subversion Repository"
>
> BrowserMatch "^SVN/1.[456]" denyclient
>
> order allow,deny
>
> allow from all
>
> deny from env=denyclient
>
> Allow from all
>
> AuthType Basic
>
> AuthName "CollabNet Business Users Subversion Repository"
>
> AuthBasicProvider ldap
>
> AuthLDAPUrl
> "ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*" "NONE"
>
> AuthLDAPBindDN "svn_user"
>
> AuthLDAPBindPassword "password"
>
> <LimitExcept OPTIONS GET PROPFIND REPORT>
>
> require ldap-group CN= subversion_readonly,OU=abc Access
> Groups,DC=abc,DC=com
>
> </LimitExcept>
>
> require ldap-group CN= subversion_bususers,OU=abc Access
> Groups,DC=abc,DC=com
>
> </Location>
>
> I’m able to access all repos except the business repo with this setting
> and when I try to commit something I get an error saying “Redirect cycle
> detected for URL”
>
> Does this have something to do with the line RedirectMatch ^(/svn)$ $1/
> ? I’m pretty much a novice at apache configuration, so forgive my ignorance.
>
> Any help is appreciated, Thank you.
>
>
> Barclaycard
>
> www.barclaycardus.com <http://www.barclaycardus.com>
>
> This email and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of
> this information is prohibited. If you have received this in error,
> please contact the sender by replying to this message and delete this
> material from any system it may be on.
>

RedirectMatch tells the requesting tool to try again at the new address,
which means it returns a response code and tells the client to try again
at the new address.

In your case, ^(/svn)$ $1/ says "Match ONLY /svn" and then "Redirect to
"/svn/", which probably is getting sent back into the RedirectMatch.
Http:/httpd.apache.org/docs/2.2/mod_alias.html has the relevant
information. If you want to redirect any URLS that look like
"www.example.com/svn/business" to "www.example.com/respos/business", you
would need something like the following:

RedirectMatch ^/svn/(*.) /repos/$1

Is there a reason you are doing URL redirection, though? You can
probably just set the Location directives to be /svn and /svn/business
directly and not deal with redirects or rewrites at all. If you really
are looking at doing URL modifications, you might be better served with
mod_rewrite.

Robert
Received on 2013-09-17 18:13:10 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.