[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

From: Kedar Sirshikar (ksirshik) <ksirshik_at_cisco.com>
Date: Sat, 2 Sep 2017 01:50:15 +0000

Hi Brane,
I tried to follow your suggestions. Please refer attached latest version of ‘subversion.conf’

1. I updated my subversion.conf to include ‘AuthLDAPGroupAttribute’ attribute. Its value is set to cn as cn attribute has the group name (to which user is assigned)
dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
cn: cn=Admin,ou=groups,dc=sprint,dc=com
gidNumber: 491
homeDirectory: /home/qns-svn
sn: sn_sssd_pb
uid: sssd_pb
uidNumber: 491
userPassword:: e1NTSEF9Qi94UDJVK3dtbWFDQW5hRVR5ZW1uL2RnenFudnBMdlNoaUxkOFE9P
Q==

2. I included cn in ‘Require ldap-group’ at line 43 in subversion.conf

Require ldap-group cn=Admin,ou=groups,dc=sprint,dc=com

3. I also tried turning ‘AuthLDAPGroupAttributeIsDN’ attribute on and off.
But none of the above attempt helped me to get sssd_pb user authorized in Admin/RW role. Currently sssd_pb user gets READONLY access by default.
Is there any way I can check for logs? If I get some relevant logs, I myself can dig down more.

I came across below 2 urls which claim that it is not possible to get rid of AuthzSVNAccessFile directive and you must use a file to configure groups and users.
http://grokbase.com/t/subversion/users/1477dcf8yc/how-to-control-access-of-a-subversion-repo-subfolder-via-ad-groups/oldest#responses_tab_top
https://github.com/whitlockjc/sync-ldap-groups-to-svn-authz

Now, I am little confused about whether it is really possible (or not) to fully avoid configuring groups and user names in a separate file.

Brane,
Appreciate your help in advance!
Depending upon your feedback I may have to decide if to build a python script or to explore more in current experiment.


Regards,
Kedar.

From: "Kedar Sirshikar (ksirshik)" <ksirshik_at_cisco.com>
Date: Monday, August 7, 2017 at 1:10 AM
To: Branko Čibej <brane_at_apache.org>, "users_at_subversion.apache.org" <users_at_subversion.apache.org>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

Hi Brane,
Thank you for reply.

I am providing some inputs about my experiement as of now.
I am using ‘httpd-2.2.15-54.el6.centos.x86_64’ httpd.
I have attached ldif file and ‘/etc/httpd/conf.d/subversion.conf’ files for your reference.
I have also attached ‘sssd.conf’ (to interact with LDAP).

Still I have not been able to grant read access to gidNumber: 500 and read/write access to gidNumber: 491 from ldap.
Do you see any obvious issue in attached files? Your advice will be a great help!

Regards,
Kedar.

From: Branko Čibej <brane_at_apache.org>
Organization: The Apache Software Foundation
Date: Monday, August 7, 2017 at 12:36 AM
To: "users_at_subversion.apache.org" <users_at_subversion.apache.org>
Cc: "Kedar Sirshikar (ksirshik)" <ksirshik_at_cisco.com>
Subject: Re: Can i read/write(based on LDAP group) to SVN without using AuthzSVNAccessFile directive

On 04.08.2017 18:39, Kedar Sirshikar (ksirshik) wrote:
Hi team,
I need some help on integration of SVN, Apache and LDAP.

Currently we are using ‘/var/www/svn/users-access-file’ to store SVN admin users.
Problem with this approach is if new admin users are added in LDAP then we have to change above file as well (for adding new users).
Also, storing user names in ‘/var/www/svn/users-access-file’ is always discouraged as it may violate security.

So, is there any way I can avoid using ‘/var/www/svn/users-access-file’ and achieve read/write access to SVN based on groups of LDAP users?
I am also investing but as I am new to this area so your help may improve my investigation.

Yes, this is easily done; here's an example of the access part of the httpd config file (for httpd 2.4.x):

        <RequireAll>

            Require valid-user

            <Limit HEAD GET OPTIONS PROPFIND REPORT>

                <RequireAny>

                    # Read access

                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com

                    Require ldap-group cn=svn.readonly,ou=group,dc=example,dc=com

                </RequireAny>

            </Limit>

            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>

                <RequireAny>

                    # Write access

                    Require ldap-group cn=svn.admin,ou=group,dc=example,dc=com

                </RequireAny>

            </LimitExcept>

        </RequireAll>



-- Brane


Received on 2017-09-02 03:50:29 CEST

This is an archived mail posted to the Subversion Users mailing list.