[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

How to control access of a subversion repo subfolder via AD groups

From: Ankush Grover <ankushcentos_at_gmail.com>
Date: Mon, 7 Jul 2014 16:26:54 +0530

Hi,

I am trying to setup Subversion authentication through Active Directory
authentication and authorization through Active Directory groups.Everything
is working fine but the issue I am facing is when I want to restrict access
to subdirectorys of a subversion repository. For ex: there is a repo with a
name "ankushtest" and it has a subdirectory "test", now I want some users
which are in AD group to be able to read or commit to subdirectory "test"
only. This access is working fine through SVN clients like Tortoise etc..
but when I try to open the same on a browser, the user which has access
only to subdirectory "test" is able to see the all the directorys or files
under repo "ankushtest". How this is working is like that, if a user types
the complete url for the "test" directory like
http://svn.example.com/src/ankushtest/test" then browser is showing the all
the files & directorys of a repo.
 In the Apache logs I see the below warning whenever I click on the url
http://svn.example.com/src/ankushtest/test" and this test directory on the
browser shows all the files & directorys whereas this directory has only 1
file and a sub-directory in it.

Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location
'/src/ankushtest/test' hinders access to 'test1' in SVNPath Location
'/src/ankushtest'

Environment: Centos 6.5 64-bit with Selinux & Iptables off, Subversion
1.7.17-1(downloaded from the WANDisco site) & Apache version 2.2.15-30

My subversion Configuration file is below

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LDAPVerifyServerCert off
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/cert1.pem
LDAPTrustedGlobalCert KEY_BASE64 /etc/pki/tls/key1.pem

<Location "/">
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative On
 AuthName "3PG SVN Repository"
 AuthLDAPURL "ldaps://
172.16.9.80:3269/DC=exampleC=corp?sAMAccountName?sub?(objectClass=user)"SSL
 AuthLDAPURL "ldaps://
172.16.9.90:3269/DC=example,DC=corp?sAMAccountName?sub?(objectClass=user)
"SSL
 AuthLDAPBindDN "authsvn_at_example.corp"
 AuthLDAPBindPassword ldapsS_at_1234

</location>

<Location "/src/ankushtest">
Dav svn
SVNPATH /home/svn_repos/src/ankushtest

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp

        </LimitExcept>
</Location>

<Location "/src/ankushtest/test">

Dav svn
SVNPATH /home/svn_repos/src/ankushtest
SVNReposName "ankush-2 test repo"

        <Limit GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_ro,OU=test,DC=example,DC=corp
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </Limit>

        # Write access
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
    Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
        </LimitExcept>
</Location>

What is the best way to configure and control subfolders access via Active
Directory groups so that things works fine in the browser too...

Thanks & Regards

Ankush Grover
Received on 2014-07-07 13:26:13 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.