[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: LDAP Usage Question

From: Branko Čibej <brane_at_apache.org>
Date: Tue, 24 May 2016 10:21:29 +0200

On 24.05.2016 09:51, Dariusz Nowak wrote:
>
> Hello,
>
>
> I'm new in subversion world and tried to research something yesterday
> - without success, so decided to post here. My question is related to
> authentication using LDAP.
>
>
> My scenario is that I will require 2 auth methods (passwd + ldap) all
> of services (like Jenkins) will use passwd + authz and all of "humans"
> will use their AD accounts. I found really useful option in config
> aliasses however got small problem applying to LDAP. And my question is:
>
>
> Can I create aliasses for LDAP groups ? I want in my LDAP AUTH file to
> have something like:
>
> [aliases]
>
> mygroup = CN=PATH,DN=TO,DN=LDAP,DN=GROUP
>
>
> [/]
>
> @mygroup = r
>
>
> So I'm allowing for example every User object in my ldap tree to
> access, but later limiting it like that ... this is how our current
> setup works (a lot of hardcoded user/groups in auth/passwd files and
> [/path/to/repo] = group1 = r, group2 = rw etc.
>

Unfortunately that won't work. The LDAP authentication happens within
Apache before Subversion's Authz module is invoked, and group membership
information isn't transmitted to mod_authz_svnl; only user identity is.
You'll have to use 'Require ldap-group' directives in your httpd.conf,
then duplicate the group definitions in the Subversion authz file.

You can probably automate the group definition part by writing a script
that scrapes the LDAP database and writes a svn_authz group definition file.

-- Brane
Received on 2016-05-24 10:21:34 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.