[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache httpd 2.4 + Subversion 1.9.5 + LDAP combination does not work on CentOS 7.x

From: Branko ─îibej <brane_at_apache.org>
Date: Tue, 18 Jul 2017 12:33:32 +0200

On 18.07.2017 10:20, Ravi Roy wrote:
>
>
> On Mon, Jul 17, 2017 at 8:03 PM, Ravi Roy <ravi.aroy_at_gmail.com
> <mailto:ravi.aroy_at_gmail.com>> wrote:
>
>
> You should remove these lines:
>
> Satisfy any
> Order allow,deny
> Allow from all
> AuthUserFile /dev/null
>
>
> then add
>
> Satisfy all
>
>
> I also suggest you add the HEAD method to the LimitExcept
> directive.
>
>
>
> As this does not work and bypassing AuthzSVNAccessFile and gives repo
> access to all valid users which exsits in LDAP directory. Does
> somebody know why it is causing this? Thanks
> Ravi.

I have a practically identical configuration (with slightly more complex
access rules) and it does work for me. I suggest you turn on verbose
logging in httpd and check the logs to see what's happening.

My config looks like this:

    RedirectMatch permanent ^(/repos)$ $1/
    <Location /repos/>
        AuthType basic
        AuthName "Subversion"
        AuthBasicProvider ldap

        AuthLDAPUrl "ldaps://ldap.example.com/ou=people,dc=example,dc=com?uid"
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPBindDN cn=admin,dc=example,dc=com
        AuthLDAPBindPassword "example.com"

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Read access
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                    Require ldap-group cn=dev.readonly,ou=group,dc=example,dc=com
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    # Write access
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                </RequireAny>
            </LimitExcept>
        </RequireAll>

        DAV svn
        SVNParentPath /srv/repos
        SVNListParentPath on
        SVNPathAuthz short_circuit
        AuthzSVNAccessFile file:///srv/repos/admin/access.conf
    </Location>

-- Brane
Received on 2017-07-18 12:33:38 CEST

This is an archived mail posted to the Subversion Users mailing list.