[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to control access of a subversion repo subfolder via AD groups

From: Ankush Grover <ankushcentos_at_gmail.com>
Date: Wed, 9 Jul 2014 11:19:38 +0530

Hi Friends,

Any update on this? Kindly cc me while replying as I have not subscribed to
the mailing list.

On Mon, Jul 7, 2014 at 4:26 PM, Ankush Grover <ankushcentos_at_gmail.com>
wrote:

> Hi,
>
> I am trying to setup Subversion authentication through Active Directory
> authentication and authorization through Active Directory groups.Everything
> is working fine but the issue I am facing is when I want to restrict access
> to subdirectorys of a subversion repository. For ex: there is a repo with a
> name "ankushtest" and it has a subdirectory "test", now I want some users
> which are in AD group to be able to read or commit to subdirectory "test"
> only. This access is working fine through SVN clients like Tortoise etc..
> but when I try to open the same on a browser, the user which has access
> only to subdirectory "test" is able to see the all the directorys or files
> under repo "ankushtest". How this is working is like that, if a user types
> the complete url for the "test" directory like
> http://svn.example.com/src/ankushtest/test" then browser is showing the
> all the files & directorys of a repo.
> In the Apache logs I see the below warning whenever I click on the url
> http://svn.example.com/src/ankushtest/test" and this test directory on
> the browser shows all the files & directorys whereas this directory has
> only 1 file and a sub-directory in it.
>
> Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location
> '/src/ankushtest/test' hinders access to 'test1' in SVNPath Location
> '/src/ankushtest'
>
>
> Environment: Centos 6.5 64-bit with Selinux & Iptables off, Subversion
> 1.7.17-1(downloaded from the WANDisco site) & Apache version 2.2.15-30
>
>
> My subversion Configuration file is below
>
>
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
> LDAPVerifyServerCert off
> LDAPTrustedMode SSL
> LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/cert1.pem
> LDAPTrustedGlobalCert KEY_BASE64 /etc/pki/tls/key1.pem
>
>
> <Location "/">
> AuthBasicProvider ldap
> AuthType Basic
> AuthzLDAPAuthoritative On
> AuthName "3PG SVN Repository"
> AuthLDAPURL "ldaps://
> 172.16.9.80:3269/DC=exampleC=corp?sAMAccountName?sub?(objectClass=user)
> "SSL
> AuthLDAPURL "ldaps://
> 172.16.9.90:3269/DC=example,DC=corp?sAMAccountName?sub?(objectClass=user)
> "SSL
> AuthLDAPBindDN "authsvn_at_example.corp"
> AuthLDAPBindPassword ldapsS_at_1234
>
> </location>
>
> <Location "/src/ankushtest">
> Dav svn
> SVNPATH /home/svn_repos/src/ankushtest
>
> <Limit GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=svn_test_ro,OU=test,DC=example,DC=corp
> Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
> </Limit>
>
> # Write access
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
>
> </LimitExcept>
> </Location>
>
>
> <Location "/src/ankushtest/test">
>
> Dav svn
> SVNPATH /home/svn_repos/src/ankushtest
> SVNReposName "ankush-2 test repo"
>
> <Limit GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=svn_test_b_ro,OU=test,DC=example,DC=corp
> Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
> Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
> </Limit>
>
> # Write access
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=svn_test_b_rw,OU=test,DC=example,DC=corp
> Require ldap-group CN=svn_test,OU=test,DC=example,DC=corp
> </LimitExcept>
> </Location>
>
>
> What is the best way to configure and control subfolders access via Active
> Directory groups so that things works fine in the browser too...
>
>
> Thanks & Regards
>
> Ankush Grover
>
Received on 2014-07-09 07:50:10 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.