On Tue, Jul 18, 2017 at 12:33:32PM +0200, Branko Čibej wrote:
> On 18.07.2017 10:20, Ravi Roy wrote:
> >
> >
> > On Mon, Jul 17, 2017 at 8:03 PM, Ravi Roy <ravi.aroy_at_gmail.com
> > <mailto:ravi.aroy_at_gmail.com>> wrote:
> >
> >
> > You should remove these lines:
> >
> > Satisfy any
> > Order allow,deny
> > Allow from all
> > AuthUserFile /dev/null
> >
> >
> > then add
> >
> > Satisfy all
> >
> >
> > I also suggest you add the HEAD method to the LimitExcept
> > directive.
> >
> >
> >
> > As this does not work and bypassing AuthzSVNAccessFile and gives repo
> > access to all valid users which exsits in LDAP directory. Does
> > somebody know why it is causing this? Thanks
> > Ravi.
>
>
> I have a practically identical configuration (with slightly more complex
> access rules) and it does work for me. I suggest you turn on verbose
> logging in httpd and check the logs to see what's happening.
>
> My config looks like this:
I suspect the use of mod_auth_compat is Roy's problem here.
His config is using a 2.2-style authorization config.
Not upgrading authorization configs to the new 2.4 syntax
can cause surpises.
Read the fine manual at http://httpd.apache.org/docs/2.4/upgrading.html
and live happily ever after :)
>
> RedirectMatch permanent ^(/repos)$ $1/
> <Location /repos/>
> AuthType basic
> AuthName "Subversion"
> AuthBasicProvider ldap
>
> AuthLDAPUrl "ldaps://ldap.example.com/ou=people,dc=example,dc=com?uid"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPBindDN cn=admin,dc=example,dc=com
> AuthLDAPBindPassword "example.com"
>
> <RequireAll>
> Require valid-user
> <Limit HEAD GET OPTIONS PROPFIND REPORT>
> <RequireAny>
> # Read access
> Require ldap-group cn=dev,ou=group,dc=example,dc=com
> Require ldap-group cn=dev.readonly,ou=group,dc=example,dc=com
> </RequireAny>
> </Limit>
> <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
> <RequireAny>
> # Write access
> Require ldap-group cn=dev,ou=group,dc=example,dc=com
> </RequireAny>
> </LimitExcept>
> </RequireAll>
>
> DAV svn
> SVNParentPath /srv/repos
> SVNListParentPath on
> SVNPathAuthz short_circuit
> AuthzSVNAccessFile file:///srv/repos/admin/access.conf
> </Location>
>
>
>
> -- Brane
Received on 2017-07-18 12:43:22 CEST