Below is my apache config for SVN:
httpd.conf:
<Location /repos>
# mod_dav_svn configuration
DAV svn
SVNParentPath /opt/web/subversion/repos
# mod_authn_core configuration
AuthType Basic
AuthName "Authorized Developers Only"
# mod_auth_basic
AuthBasicProvider ldap
# mod_authnz_ldap configuration
# LDAP Authentication & Authorization is final; do not check other
databases
AuthLDAPBindAuthoritative on
AuthLDAPBindDN CN=LDAPBINDSVN,OU=LDAP,DC=mycorp,DC=com
AuthLDAPBindPassword [redacted]
# The LDAP query URL
AuthLDAPURL "ldap://
ldap.mycorp.com:3268/DC=mycorp,DC=com?sAMAccountName?sub?(objectClass=*)"
# mod_authnz_svn configuration
AuthzSVNAccessFile /opt/web/httpd/conf/extra/svn-access.conf
Require valid-user
</Location>
# Access control to individual SVN repositories based on URL path.
<Location /repos/webadmin>
Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com
Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com
</Location>
# Access control to individual SVN repositories based on URL path.
<Location /repos/jenkinsAdmin>
Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com
Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com
</Location>
# Access control to individual SVN repositories based on URL path.
<Location /repos/middlewareAutomation>
Require ldap-group CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com
Require ldap-group CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com
</Location>
-----
svn-access.conf
[aliases]
poc_devs = CN=SVN_POC_DEVS,OU=LDAP,DC=mycorp,DC=com
poc_mgrs = CN=SVN_POC_MGRS,OU=LDAP,DC=mycorp,DC=com
[groups]
poc_dev = &poc_devs
poc_mgr = &poc_mgrs
[webadmin:/]
poc_dev = rw
poc_mgr = r
[jenkinsAdmin:/]
poc_mgr = rw
poc_dev = r
[middlewareAutomation:/]
poc_dev = rw
poc_mgr = r
-----------
My ID "mhamilton" is part of the group SVN_POC_DEVS and as part of the test
I am requiring that the repository access requires the user to at least be
part of one of the two groups. In the above configuration I get the
following error message in the apache error log file:
[Fri Mar 14 10:43:10.754361 2014] [authz_svn:error] [pid 4993:tid
139652358960896] [client 172.21.48.120:59293] Access denied: 'mhamilton'
GET webadmin:/
[Fri Mar 14 10:43:12.549245 2014] [authz_svn:error] [pid 4993:tid
139652379940608] [client 172.21.48.120:59293] Access denied: 'mhamilton'
GET webadmin:/
[Fri Mar 14 10:43:19.994583 2014] [authz_svn:error] [pid 4993:tid
139652369450752] [client 172.21.48.120:59293] Access denied: 'mhamilton'
GET jenkinsAdmin:/
[Fri Mar 14 10:43:27.922455 2014] [authz_svn:error] [pid 4993:tid
139652270913280] [client 172.21.48.120:59293] Access denied: 'mhamilton'
GET middlewareAutomation:/
If I change the groups section to the following:
[groups]
poc_dev = mhamilton,aobst
poc_mgr = jvogel,rsebaugh
and the repo sections to the following:
[webadmin:/]
@poc_dev = rw
@poc_mgr = r
[jenkinsAdmin:/]
@poc_mgr = rw
@poc_dev = r
[middlewareAutomation:/]
@poc_dev = rw
@poc_mgr = r
It works (but only if I prefix the group names with "@" in the repo
section. I tried this with the groups defined using the aliases and I get
the same access denied messages.
>
--
Matthew Hamilton
Received on 2014-03-14 17:47:31 CET